Friday, 17 August 2007

DNS rebinding

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption.

What is the hell of this?

It is DNS Princeton or rebinding.

DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. The basis of the attack is rather old. It was described by the Princeton University in 1996.

What is the same-origin policy?

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

URL

Outcome

Reason

http://store.company.com/dir2/other.html

Success

http://store.company.com/dir/inner/another.html

Success

https://store.company.com/secure.html

Failure

Different protocol

http://store.company.com:81/dir/etc.html

Failure

Failure Different port

http://news.company.com/dir/other.html

Failure

Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement: 

document.domain = "company.com";

After execution of that statement, the page would pass the origin check with http://company.com/dir/page.html.

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.

What are open network proxies?

Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. With an "open" proxy, however, any user on the Internet is able to use this forwarding service. By using some open proxies (the so-called "anonymous" open proxies), users can conceal their true IP address from the accessed service, and this is sometimes used to abuse or interrupt that service, potentially violating its terms of service or the law; open proxies are therefore often seen as a problem. It is possible for a computer to be running an open proxy server without knowledge of the computer's owner. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose.

What this attack can do?

  • Circumvent firewalls to access internal documents and services.
  • Sending spam and defrauding pay-per-click advertisers.
  • Obtain the (internal) IP address of the hosting web browser
  • Port scan the LAN to locate intranet http servers
  • Fingerprint these http servers using well known URLs
  • And (sometimes) to exploiting them via CSRF (Cross-site request forgery).

How DNS Rebinding Works

DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

  1. You connect to egyptrose.com, which resolves to IP 69.17.8.14 with a very short TTL, 1 or 2 Sec,.
  2. 69.17.8.14 delivers some Javascript code to your browser to execute in 15 seconds approximately, but check the reference for accurate time period.
  3. The DNS server in control of *.egyptrose.com immediately points attacker.example.com to 192.168.2.1
  4. 15 seconds later, the Javascript on your browser connects to egyptrose.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 192.168.2.1
  5. The DNS server resets egyptrose.com to 69.17.8.14 and after some period of time, your browser reconnects and sends 69.17.8.14 its findings.

Socket in FLASH

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ). --Quoted from the documentation-- The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols. ---- This is really great for the attackers. With Anti-DNS Pinning + Socket, the attackers can... - Scan any IP addresses and any ports in intranets ( and the Internet ). - Make the users browser send shellcodes to any hosts. - Make the users browser send spam emails. - Use the users browser as a proxy ( stepping stone ). - Break any IP address based authentication. - Exploit protocols other than HTTP. ... and maybe more.

. Java Applet Java Applet is relatively secure because the Java VM "pins" DNS by default. Sun's engineers know DNS Spoofing attack. InetAddress Javadoc --Quoted from the documentation-- The positive caching is there to guard against DNS spoofing attacks ... networkaddress.cache.ttl (default: -1) A value of -1 indicates "cache forever". ---- But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.

Defending Against DNS Rebinding

There have been a number of suggestions made as far as:

· defending your network against this kind of attack, including disabling the Flash plug-in, JavaScript and any other plug-ins.

· using a personal firewall to restrict browser access to ports 80 and 443

· And making sure all your web sites have no default virtual host, but instead require a valid Host header.

· For information about defenses, please read this paper “Protecting Browsers from DNS Rebinding Attacks

References:

  1. Slashdot
  2. Wikipedia
  3. SPIDynamic
  4. Princeton University, Department of Computer Science
  5. Flash scanning.
Posted by at

1 comment:

Ayman Galal said...

From Dan Kaminsky’s presentation, Director of Penetration Testing, IOActive:

Mechanisms for rebinding an address

• Lots of ways to use a rebind, but how do you achieve it in the first place?
– How do you cause the DNS infrastructure to accept your change of address?
– The entire architecture is designed to cache across hours to days, not to be swappable in seconds
• Three mechanisms
1. Temporal
2. Spatial
3. Ridiculous

1. Temporal Modulation

• DNS records have a TTL field – lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original server
– Declare a 0 TTL and records will supposedly not cache
– Now every time the browser has a slightly different DNS request, you get an opportunity to provide a different location
• Problem: Some networks won’t respect your low TTL. Some networks brag about that ;)
– You could wait until the network-enforced minimum TTL expires, but that takes time

2. Spatial Modulation

• DNS responses can contain multiple addresses
• When bar.com is asked for its IP address, it returns both its address and the address of the printer
– This can have a infinite TTL
• Problem: Which record will the browser choose?
– Totally random. L
• Solution: Try again
– Seriously.

Spatial Error Resolution

• Case 1: Browser wants external, gets internal
– Fix 1: External resource is hosted on an unusual port, so the internal connection will fail and thus retry to external. This has problems with outbound firewalls, though.
– Fix 2: Immediately after connecting, look for evidence in the connected session that we’ve actually reached the correct server. If not, destroy the object that did the incorrect retrieve and keep trying until success.
• The trick: Retrieve the content with XMLHttpRequest so that you can actually destroy the object that guessed incorrectly.
• Case 2: Flash/Java wants internal, gets external
– Fix: Look for magic token on incoming session. If magic token is returned, destroy the object and try again. If no token, retry the applet a couple times just in case there’s a extrusion firewall in the way.

3. Ridiculous Modulation

• People are trying to use DNS TTLs as a security technology
• DNS TTL’s are not a security technology
– Finally, something less a security technology than Virtual Machines J
• Overriding a TTL, if you control the record, turns out to be very easy, and this is by design
– When something wasn’t designed to be a security technology, don’t be surprised when it isn’t one

CNiping

• CNAME Records: DNS Aliases
– Instead of returning an address, return what the “Canonical”, or Official Name was, and then the address of that Canonical Name
– If you are allowed to be the resolver for that canonical name, your additional record overrides whatever’s already in the cache, even if the TTL hasn’t expired yet
• It’s not a bug.
• Works against most, but not actually all name servers
CNiping Demo[0]

• dig bar.foo.notmallory.com
bar.foo.notmallory.com. 111 IN A 10.0.0.0
• dig 1.foo.notmallory.com
;; ANSWER SECTION:
1.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com
bar.foo.notmallory.com. 120 IN A 10.0.0.0

CNiping Demo[1]

• dig 2.foo.notmallory.com
2.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com.
bar.foo.notmallory.com. 120 IN A 10.0.0.1
• dig bar.foo.notmallory.com
bar.foo.notmallory.com. 118 IN A 10.0.0.1

Reference: http://www.doxpara.com/DMK_BO2K7_Web.ppt

17 August 2007 at 03:17

Post a Comment

Subscribe to: Post Comments (Atom)