1 DNS Rebinding and Socket API Kanatoko

DNS Rebinding Overview(1) One of the attack vectors Not a bug of a certain software All kinds of Operating Systems may be affected –Windows, Linux, MacOSX … There are no patches Occurs in the relationship with Web servers, DNS servers, proxy servers Real threat Maybe your system is vulnerable 2

DNS Rebinding Overview(2) Eve controls the web browser of Alice –and make it do something Stealing information Make Alice attack Not a direct attack against the servers Not an attack against the DNS servers 3

How the attack is deployed? Deployed when Alice visits Eve’s trap page Same as XSS, CSRF Unawares Social engineering with using s, BBS, comments on blogs It is difficult to find out whether the page is a trap or not Sometimes the hacked web sites ( like famous companies) are used to deploy the attack 4

Technologies used in DNS Rebinding JavaScript Java FLASH Malicious codes starts running on the Alice’s browser But there are security constraints –For example: Cannot read from or write to the local files Each of these technologies has a network access function 5

When Alice visits Eve’s page…(1) Eve’s malicious code starts running and accesses over the network JavaScript –Get resources using XMLHttpRequest,SCRIPT tag, IMG tag(HTTP) FLASH: –URLLoader(HTTP), –Socket(TCP) Java: –URLConnection(HTTP), –Socket(TCP) –DatagramSocket(UDP) 6

When Alice visits Eve’s page…(2) Of course there are security constraints on the network access functions Can access only to the origin host on that Java Applets(.class,.zip,.jar), FLASH SWF files, web pages are located Known as “Same Origin Policy” 7

DNS Rebinding attack vector(1) Eve owns the top level domain “eve.tld” So Eve can control the DNS server of “eve.tld” Eve runs a web server at “ ” and locates the malicious codes there Eve binds “ ” as the address of the hostname “ Eve sets very short value ( for example, 8 seconds ) as a TTL value of the DNS record Alice tries to access to the Eve’s trap page located at “ The first name resolution is done by Alice and “ ” is returned from the Eve’s DNS server. Alice’s browser loads the Eve’ s trap page. Soon TTL expires At the same time, Eve changes the configuration of the DNS server and binds “ ” as the address of the hostname “ 8

DNS Rebinding attack vector(2) The Eve’s malicious code on the Alice’s browser tries to access to “ The second name resolution is done by Alice. This time “ ” is returned from the Eve’s DNS server. The code accesses to “ ” Though “ ” is not an Eve’s host, the code is allowed to access to “ ” because the hostname is “ ( same origin ) As the example above shows, DNS Rebinding enables Eve to access to the addresses like “ ” which of course should not be allowed to access 9

What is DNS Pinning? Only FLASH is vulnerable to the DNS Rebinding attack vector explained in the previous page The other two technologies ( JavaScript and Java ) caches the DNS information in their own ways TTL does not expire. This behavior violates the DNS protocol It is called as “DNS Pinning” Sun Microsystems implements DNS Pinning on Java as a countermeasure to DNS Rebinding ( or DNS Spoofing ). –On the other hand, the browser vendors( Microsoft, Mozilla.org and Opera ) seem that they are not so conscious of DNS Rebinding Eve needs to make Alice discard the cached DNS information to execute DNS Rebinding 10

What is Anti-DNS Pinning(1) Make Alice discard the pinned DNS information Can be applied only to JavaScript –FLASH does not pin DNS at all –Java never discards the pinned DNS information. Java is immune to Anti-DNS Pinning Martin Johns notified this issue to the security community at Aug 2006 – 11

What is Anti-DNS Pinning(2) If an access to the server fails after an appropriate period has elapsed, the browser discards the pinned DNS information and executes the second name resolution –Change the firewall rule –Shut down the web server –Make Alice access to the closed port （ for example- ） Anti-DNS Pinning make Eve possible to force Alice execute the second name resolution. Eve can launch DNS Rebinding as a result Anti-DNS Pinning is a step used in DNS Rebinding (against JavaScript) 12

DNS Rebinding against JavaScript XMLHttpRequest is mainly used Get information from the web servers to those Eve cannot access without DNS Rebinding, and send it to the Eve’s host The targets are only web servers because HTTP is used in the communication It is not “Cross Domain” but “Cross Address”. So the HTTP requests do not contain Cookies and Authorization headers of the target web page For this reason it is not used in CSRF. For the same reason it means almost nothing to force Alice to get information from the Internet. So the Intranet is the main target There are some exceptions. If an address-based authentication ( for example: The countermeasure of Universal PDF XSS issue) exists, Eve may use DNS Rebinding for get information via the Alice’s browser Stolen information is sent to the Eve’s another host. It is quite easy for Eve because there are no “Same Origin Policy” about sending data with JavaScript 13

Demo:DNS Rebinding on JavaScript Get information from the Intranet and send it to “ I was skeptical about whether DNS Rebinding is a real threat, when I read the Martin’s article for the first time It took me 20 hours to make this demo to work stably Web application(JSP), DNS server(djbdns) and JavaScript on the browser are used Uses “closed port method” to launch Anti-DNS Pinning Special Thanks to Kawa from Team Tidori 14

JavaScript on each browser On Firefox, the code needs to wait for about 2 minutes to launch Anti-DNS Pinning On IE6 and Opera, the code only needs to wait for the TTL value( a few seconds ) IE7- not checked yet 15

Countermeasures for DNS Rebinding on JavaScript Require authentication for HTTP accesses Basic authentication is enough Disabling JavaScript is perfect It is not a threat because easy and good countermeasures exist Of course the default usernames/passwords ( of ADSL routers, for example ) need to be changed 16

DNS Rebinding on FLASH and Java(1) Socket APIs available The Eve’s code can implement any TCP based protocol It is far more dangerous than DNS Rebinding on JavaScript To any hosts on the Internet and the Intranet With Any TCP based protocol From Alice’s browser –Portscan –SPAM s –Exploiting known vulnerabilities –File sharing network –DoS attacks –Exploiting address based authentications 17

DNS Rebinding on FLASH and Java(2) Eve can use the Alice’s browser as a TCP( or UDP ) proxy because the Eve’s malicious code can send and receive data in anytime using another host like “www2.eve.tld” even on a DNS rebound situation The Alice’s system ( or network ) could be both a victim and an assailant 18

DNS Rebinding on Java(1) Sun’s Java Virtual Machine The code runs under a security restriction called “Sandbox” The host that is allowed to communicate over the network with Java applet is the origin of the applet. It is not the origin of the web page The Socket class （ TCP ） and the DatagramSocket （ UDP ） class are available Binary data can be sent and received Caches the DNS record until the termination of the process ( forever ). It is a very strong DNS Pinning Apparently violates the DNS protocol. It makes trouble when you implement some server applications like SMTP server with using Java The JVM parameter “networkaddress.cache.ttl” enables you to control this behavior. But still in this case the TTL value of the DNS record is ignored The “networkaddress.cache.ttl” parameter cannot be set from the Java applet 19

DNS Rebinding on Java(2) There was a related issue – There are no configurations like “Disable sockets on the Java applets” We cannot remove the Socket class from Java because it is also used in the download process of the applet Java downloads the applet by itself. Not relies on the browser So the cache of the browser is not used when the applet is downloaded by Java Java does name resolution for downloading The point is that the Java does name resolution BEFORE the applet has downloaded And the result of the name resolution will be cached forever 20

DNS Rebinding on Java(3) If the Eve’s DNS server returns the fake IP address as a result of the Alice’s name resolution, the Java applet will not be downloaded and the attack will fail If the Eve’s DNS server returns a correct IP address as a result of the Alice’s name resolution, the Java applet will be downloaded properly. But Eve cannot rebind the IP address because the Alice’s Java caches the result of the first name resolution forever. The attack will fail as a result In both case the attack will fail Only the users behind proxy servers are vulnerable The business users in the cooperation network with the application proxy gateway are vulnerable than the home users with NAT 21

DNS Rebinding on Java(4) //make the proxy cache the applet var foo = new Image(); foo.src = “ //wait for the TTL to expire setTimeout( 'f1()', 1000 * 12 ); //add the applet tag to the page function f1() { var base = document.getElementById( "base" ); var str = ' ' + ' ' + ' '; base.innerHTML = str; } 22 Make the proxy server cache the Java applet before Java is activated

DNS Rebinding on Java(5) The downloading of the Java applet is done by the proxy server though Java does a name resolution and a spoofed IP address is returned. The cache of the Java applet in the proxy server is returned to the Alice’s Java, and the Eve’s malicious code starts running successfully - The request of the browser GET /exploits/MTCPCApplet.class HTTP/1.0 Accept: */* Referer: Accept-Language: ja User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR ) Host: jumperz.net Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: Keep-Alive - The request of the Java applet GET /exploits/MTCPCApplet.class HTTP/1.1 User-Agent: Mozilla/4.0 (Windows ) Java/1.6.0_02 Host: jumperz.net Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: keep-alive 23

Demo: DNS Rebinding on Java Scan some ports and retrieve the banner from the server, and send the result to “ Works on IE, Firefox, and Opera Works only on users behind proxy 24

Countermeasures for DNS Rebinding on Java(1) Disabling Java Restrict the ports allowed to connect to with using personal firewalls ( for example: only 80 and 443 ) Require authentication for every protocol used on the Intranet Patch known vulnerabilities Use firewall to find and stop the outgoing attacks. ( for example UDP 53 DoS ) It is not easy to find the malicious Java code on the gateway or IDS or IPS because the Java applet class file could be zipped into.zip and.jar files 25

Countermeasures for DNS Rebinding on Java(2 ) public void checkConnect(String host, int port) { if (host == null) { throw new NullPointerException("host can't be null"); } host = " "; if (!host.startsWith("[") && host.indexOf(':') != -1) { host = "[" + host + "]"; } if (port == -1) { checkPermission(new SocketPermission(host, SecurityConstants.SOCKET_RESOLVE_ACTION)); } else { checkPermission(new SocketPermission(host+":"+port, SecurityConstants.SOCKET_CONNECT_ACTION)); } 26 Setup a JRE only for the Java applets and patch the SecurityManager class

DNS Rebinding on LiveConnect Works only if both Java and JavaScript are enabled One can write a Java code in a JavaScript code – var s = new java.net.Socket( " 25 ) It is a part of the “LiveConnect” technology Not supported on IE Eve can send the malicious Java code to Alice before Java is activated The users NOT behind proxy are also vulnerable On the implementation of LiveConnect of Opera it seems that there are some bugs Firefox is the most dangerous browser 27

Demo: DNS Rebinding on LiveConnect A collaboration of Martin Johns and me – Scan some ports and retrieve the banner from the server, and send the result to Works on Firefox and Opera 28

Countermeasures for DNS Rebinding on LiveConnect The same as those of Java 29

DNS Rebinding on FLASH(1) The Socket class is available from ActionScript 3.0 Can communicate with server using TCP layer protocol Binary data can be sent and received Works on Flash Player 9.0 or later The host that is allowed to communicate over the network with FLASH is the origin of the FLASH.swf file. It is not the origin of the web page FLASH does not implement DNS Pinning at all The DNS information will be discarded after the TTL has elapsed DNS Rebinding on FLASH is very easy It is a threat that FLASH has added the Socket class because FLASH is one of the most widely used plugins. Many users enable FLASH on their browsers There are no configurations like “Disable sockets on FLASH” 30

DNS Rebinding on FLASH(2) private var sock1:Socket; private function test1():void { var sock1:Socket = new Socket(); sock1.addEventListener( Event.CONNECT, onConnected ); sock1.connect( “ 80 ); } private function onConnected( e:Event ):void { sock1.writeMultiByte( "GET / HTTP/1.0\r\n\r\n", "ISO " ); } 31 An example code of the Socket class

DNS Rebinding on FLASH(3) Can connect only to ports over 1024 by default. This is a difference between FLASH and Java Policy-loading is required to connect to ports under This is done by using a TCP-based original protocol Policy-loading is done successfully under NAT Eve could use port 443 for policy-loading Detecting the network traffic of the policy-loading with IDS or IPS would have some meaning An example signature ( Snort ) –alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FLASH Socket policy-file-request"; flow:to_server,established; content:" "; nocase; ) 32

DNS Rebinding on FLASH(4) //load policy using port 2 flash.system.Security.loadPolicyFile( "xmlsocket:// ); from client to server from server to client 33 An example code of policy-loading and the traffic

Demo: DNS Rebinding on FLASH This demo notified the existence of the Socket class of FLASH to the security community Works on Flash Player 9.0 or later Cannot scan ports under 1024 in non-NAT network because of the FLASH policy-loading mechanism Scan some ports and retrieve the banner from the server, and send the result to “ 34

Countermeasures for DNS Rebinding on FLASH(1) Disabling FLASH The same as those of Java 35

Countermeasures for DNS Rebinding on FLASH(2) Patch.dll or.ocx files Overwrite the “call” instruction to the “connect” winsock API Almost no side effects ( you still can see YouTube ) 36 BEFORE AFTER

Dynamic DNS and DNS Pinning At some point an IP address is used by the Bob’s web server Alice visits the Bob’s web site Bob’s connection has lost and he reconnect to the Internet, and the IP address of the Bob’s server has changed Soon Bob rebinds the new IP address with the Bob’s hostname with using some Dynamic DNS system Eve gets Bob’s old IP address ( bound by ISP, with DHCP ) If Alice has pinned the DNS information of the Bob’s hostname, the Alice’s HTTP requests will be sent to the Eve’s web server. Of course those should be sent to the Bob’s web server In this case Eve can get the Alice’s session id from the cookie and can hijack her session This will happen to every web sites because every service based on DNS is “dynamic” in long term It means that DNS Pinning may cause another security problem 37

Countermeasures on all 3 technologies Monitoring DNS packets (Is there any good system for this purpose ?) –Change of IP address in a short period –Especially from global IP to private IP –It is hard to find DNS Rebinding attacks from the TTL values because very short TTL values are widely used The plugins of Firefox is useful ( NoScript, FlashBlock etc) 38

Other things DNS Rebinding is a really complicated problem –Web browsers –Plugins –DNS –Proxies Real threat We cannot find attacks if it is not prepared to find Do we need some detection system for DNS Rebinding, as a first step? We need more flexible configurations on the browsers –“Disable/Enable Sockets on Java/FLASH” –“IP address has changed” notification dialogs 39

Thank you! Any questions? 40