A new class of DNS vulnerabilities affecting many DNS-as-Service platforms

Presented at DEF CON 29 (2021), Aug. 7, 2021, 12:30 p.m. (20 minutes)

We present a novel class of DNS vulnerabilities that affects multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM hashes. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received sensitive information carried by DNS update queries from ~1M Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. We will review possible mitigations to this problem and solutions for both DNSaaS providers and managed networks. REFERENCES: I. Microsoft Windows DNS Update algorithm explained - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 II. An excellent blog post by Matthew Bryant on hijacking DNS Updates abusing a dangling domain issue on Guatemala State's Top Level Domain - https://thehackerblog.com/hacking-guatemalas-dns-spying-on-active-directory-users-by-exploiting-a-tld-misconfiguration/

Presenters:

• Ami Luttwak - CTO, Wiz
  Ami Luttwak is a serial entrepreneur, an experienced cyber security CTO and a hacker by heart. Mainly interested in cloud security and cloud exploits, understanding how the cloud is built to uncover its weaknesses. Currently CTO of Wiz, the fastest growing unicorn in cloud security, prior to that led research as CTO of Microsoft cloud security and prior to that founded Adallom, a pioneering cloud security startup acquired by Microsoft in 2015. @amiluttwak
• Shir Tamari - Head of Research, Wiz (Wiz.io)
  Shir Tamari is a security and technology researcher, specializing in vulnerability research and practical hacking. Works as Head of Research at the cloud security company Wiz. In the past, he served in the Israeli intelligence unit, and in recent years has led a variety of research and security products in the industry. Shir's interests include Android, Linux Kernel, Web hacking and Blockchain. @shirtamari

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#tamari
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Shir Tamari Ami Luttwak - A new class of DNS vulnerabilities affecting many DNS-as-Service platforms.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Shir Tamari Ami Luttwak - A new class of DNS vulnerabilities affecting many DNS-as-Service platforms.srt (subtitles)
• https://www.youtube.com/watch?v=72uzIZPyVjI

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks
• Black Hat USA 2021 / A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms
• NolaCon 2019 / DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy