copyright IOActive, Inc. 2006, all rights reserved.

Black Ops 2007:Design Reviewing The Web

Dan KaminskyDirector of Penetration Testing

IOActive, Inc.

Introduction

• This is my seventh “Black Ops of TCP/IP” talk.• Previous subjects have included:

– Everything over SSH– Massive Speed Network Scanning– Everything over DNS– Pattern Analysis– Neutrality Verification

• New Target: The World Wide Web– Why?

That’s Not A Moon, That’s A Web Browser

© LucasFilm

Mobile Too!

© LucasFilm

Where The Wild Things Are

• Rampant and persistent XSS/XSRF announcements• Superbowl .WMF 0-day

– Two days before Superbowl, malicious image placed on web page

– 1+M desktops compromised overnight• DNS Rebinding Test By Dan Boneh’s Team at Stanford

– Test flash applet placed on an Ad network, distributed across many web sites

– Applet acquired partial network connectivity to client LAN– +100K networks exposed

These Are A Few Of My Favorite Things

• DNS…? Tunneling…? Behind Firewalls…?– “I try to get out, but they pull me back in!”

• DNS Rebinding is an old bug– Dates back to 1996– So old, people forgot about it, and started building

systems that didn’t defend against it• Dan Boneh of Stanford University’s been driving the most

thorough research– Attack dates back to 1996 (“Princeton Attack”)– Martin Johns revived the attack in August 2006– RSnake’s been pushing a lot of attention its way

• Effect: DNS Rebinding partially breaks the security policy of the web.

How Does The Web Work?

• Web pages are pulled together in the browser, from pieces that can come from all over the place

– You can even embed one web page inside another one!

• This is an “IFrame”

– But what if someone embedded Hotmail, and you were logged in? Would they be able to read your mail?

The Same Origin Policy

• “Look but don’t touch”– A web page can embed Hotmail, but it can’t “look inside”

to see what’s happening– Access to “look inside” controlled by Same Origin Policy– If foo.com has an iframe to foo.com, it can look inside.– If foo.com has an iframe to bar.com, it can display

bar.com to the user, but it can’t peek inside and see what the user sees.

• “If two things come from the same place, they must be trusted the same”– Same place = Same name, right?

The Bug

• Names don’t host anything.• Everything comes from IP addresses• We use DNS to translate between a name we trust and an IP

address we communicate with– Foo.com -> 1.2.3.4– Bar.com -> 3.4.5.6

• Assumption: The translations don’t change– Reality: Both foo.com and bar.com can return any IP

address, at any time, whether they control that IP or not• Bar.com can return an IP address of Foo.Com’s

Now What?• One moment, bar.com could point to a server in Europe• The next moment, bar.com could point to the printer down the

hall• Suppose your browser loaded a page from each address

– The content from the European server would be from bar.com

– The content from the printer down the hall would also be from bar.com

– According to the Same Origin Policy, the server in Europe can do whatever it wants to your printer!

• The server can’t get past your corporate firewall…• …but it doesn’t need to. It’ll tell your browser what to

do, and your browser will report back with whatever your printer is up to.

Why The Attack Works

• Browser doesn’t know bar.com from the external IP is any different from bar.com from the internal IP– This is by design– Major web sites have IP addresses spread

across the world, and resources acquired from them need to be able to script against one another

• Detecting that there’s a cross-IP scripting action happening is only the beginning – what to do after that is what people are trying to figure out.

What is the canonical attack here?

• Firewall Bypass

– Most corporate networks draw a significant distinction between the external network and the internal network

• Things inside can route out

• Things outside cannot route in

• By bouncing off a lured browser, an attacker on the outside can access resources on the inside

Levels of Exploitation• Level 1: Browser-Only

– One IFrame is from Europe, the other is down the hall. Same name, so they can script against eachother.

– The Win: Arbitrary HTTP Sites• Level 2: Web Plugins

– MSXML* / XmlHTTPRequest / Silverlight– The Win: HTTP + Web Services + Semi-Arbitrary

Headers• Level 3: Socket Plugins

– Flash / Java, though different resources available through each

– The Win: Everything from L1+L2, plus various degrees of TCP or UDP access

Java

• Original Target of 1996 Princeton Attack– From Applet interface, can only get high-port

UDP and TCP to the actual calling app• More widely deployed than I thought• LiveConnect

– Ability for Javascript to call Sockets directly, without going through Applet interface

– Totally rebindable – effect is high-port UDP and TCP to anyone

– FireFox and Safari only though

Flash

• Has worked hardest to make arbitrary socket connections work when they’re supposed to

– Most mature security model in the industry

– They don’t handle rebinding well though

• Breaks what is otherwise a lot of really good work

• Effect: Arbitrary TCP, though you have to pull some tricks to get TCP ports below 1024

Mechanisms for rebinding an address

• Lots of ways to use a rebind, but how do you achieve it in the first place?– How do you cause the DNS infrastructure to

accept your change of address?– The entire architecture is designed to cache

across hours to days, not to be swappable in seconds

• Three mechanisms– Temporal– Spatial– Ridiculous

Traditional Rebinding: Temporal Modulation

• DNS records have a TTL field – lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original server– Declare a 0 TTL and records will supposedly not cache– Now every time the browser has a slightly different DNS

request, you get an opportunity to provide a different location

• Problem: Some networks won’t respect your low TTL. Some networks brag about that ;)– You could wait until the network-enforced minimum TTL

expires, but that takes time

Another Rebinding Mechanism: Spatial Modulation

• DNS responses can contain multiple addresses

• When bar.com is asked for its IP address, it returns both its address and the address of the printer

– This can have a infinite TTL

• Problem: Which record will the browser choose?

– Totally random. • Solution: Try again

– Seriously.

Spatial Error Resolution• Case 1: Browser wants external, gets internal

– Fix 1: External resource is hosted on an unusual port, so the internal connection will fail and thus retry to external. This has problems with outbound firewalls, though.

– Fix 2: Immediately after connecting, look for evidence in the connected session that we’ve actually reached the correct server. If not, destroy the object that did the incorrect retrieve and keep trying until success.

• The trick: Retrieve the content with XMLHttpRequest so that you can actually destroy the object that guessed incorrectly.

• Case 2: Flash/Java wants internal, gets external– Fix: Look for magic token on incoming session. If magic token

is returned, destroy the object and try again. If no token, retry the applet a couple times just in case there’s a extrusion firewall in the way.

Ridiculous?

• People are trying to use DNS TTLs as a security technology

• DNS TTL’s are not a security technology– Finally, something less a security technology

than Virtual Machines • Overriding a TTL, if you control the record, turns

out to be very easy, and this is by design– When something wasn’t designed to be a

security technology, don’t be surprised when it isn’t one

CNiping

• CNAME Records: DNS Aliases– Instead of returning an address, return what the

“Canonical”, or Official Name was, and then the address of that Canonical Name

– If you are allowed to be the resolver for that canonical name, your additional record overrides whatever’s already in the cache, even if the TTL hasn’t expired yet

• It’s not a bug.• Works against most, but not actually all

name servers

CNiping Demo[0]

• dig 1.foo.notmallory.com;; ANSWER SECTION:1.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.combar.foo.notmallory.com. 120 IN A 10.0.0.0

• dig bar.foo.notmallory.combar.foo.notmallory.com. 111 IN A 10.0.0.0

CNiping Demo[1]

• dig 2.foo.notmallory.com2.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com.bar.foo.notmallory.com. 120 IN A 10.0.0.1

• dig bar.foo.notmallory.combar.foo.notmallory.com. 118 IN A 10.0.0.1

Review

• By swapping addresses out from underneath a web browser, we can get arbitrary TCP (and sometimes UDP) access to hosts reachable by the client. What can we do with this?

– Can we VPN into corporate networks with nothing but a lured web browser?

• Sure! It’s easy!*

* Actually a pain in the ass, but heh

Concentration

• Three actors in this little dance

– The Browser, which has access to internal resources

– The Attacker, which wants access to those internal resources

– The Proxy, which sends code to the Browser to copy messages from the Attacker

• We will start with the Proxy, running software of my design. This software is called Slirpie.

Slirpie, The Proxy

• Multiprotocol Server, Built using POE– Accepts TCP streams for Browser delivery, containing

routing data– Accepts HTTP requests for those routable streams– Accepts DNS requests to direct routing– Accepts XMLSocket requests to determine routing policy

• For Flash• The basic theme is – Attacker connects to Proxy, which

manages the appropriate resources in Browser to service the Attacker’s connections.

A Bucket of Suckets• Browser connects, establishes an IFrame called a “Bucket”

– A bucket is a collection of connection managers– The bucket polls for new connections to establish

• Attacker connects to Proxy and requests a socket to 10.0.0.1, port 80.

• Browser Bucket retrieves list of new connections, compares against the previous list, notices one new demand for 10.0.0.1:80.– Bucket opens up a 2nd level IFrame for this new IP

address.• The IFRAME SRC attribute for the 2nd level IFrame is

set to 10.0.0.1.foo.proxydomain.com. For now, it still resolves to the Proxy’s address.

– This 2nd level IFrame is called a “Sucket”.

Demo JSON (Looks Like TCP!)• {• "10.0.0.1" : {• "3" : {• "from_browser_seq" : -1,• "server_state" :

"CONNECTED",• "from_browser_ack" : -1,• "to_browser" : {• "1" : "YQo=",• "0" : "Zm9vCg==",• "3" : "Ywo=",• "2" : "Ygo="• },

• "dport" : 80,• "dproto" : 6,• "browser_state" :

"CONNECTING",• "to_browser_seq" : 3,• "to_browser_ack" : -1,• "from_browser" : {• • }• }• }• }

How many DNS requests does it take to get to the center of your corporate network?

• Javascript alone will not open this Socket. Flash is necessary.– HaXe, a metalanguage, is used to compile both a Flash object

and a Javascript interface to it.– The Flash object is loaded, and directed to create a

connection to 10.0.0.1:80• QUERY ONE: Load the movie from 10.0.0.1.foo.proxyhost.com

(actually Proxy’s IP)• QUERY TWO: Load the security policy controlling <1024 port

access from 10.0.0.1.foo.proxyhost.com (still Proxy’s IP)• ARM THE REBIND: Tell the Proxy to return a different address

with the next query, using a special HTTP query.• QUERY THREE: Connect to 10.0.0.1.foo.proxyhost.com:80 (now

finally returning 10.0.0.1).– Connection is in the applet loaded by the proxy, using the

security policy provided by the proxy.

Managing Dataflows

• 1) Data is received by Flash – sent down into the Sucket’s DOM for eventual collection.

• 2) Bucket prepares to send an update to the Proxy. It visits each Sucket, and retrieves the latest list of updates.

• 3) Proxy received the update, acknowledges reception, and sends any replies in the update response.

• 4) Bucket receives the response, and tells each Sucket to parse their replies and send() them up through Flash.

But What Of Domains?

• Each of those IFrames inside the bucket is in a different domain than the bucket itself.

– Why can they push stuff up, or pull stuff down?

• Same Origin Policy allows two subdomains from the same domain to explicitly claim support for one another

– So we do that.

– Thanks Same Origin Policy!

And that’s it!

• OK, a little bit of housekeeping for opening and closing sockets, and eventually entire suckets.

– Yeah, it’s a reimplementation of TCP in Javascript. Who else was going to write it?

• …but what about the attacker? How does he open sockets?

Does anyone remember this?

•

Back In The Day, When I Was Young I’m Not Runnin’ 95 Anymore

• SLiRP– 1995 era tool that turned shell connections (text only) into

PPP connections (pretty pretty pictures)– Was old school when I used it in my talk back in 2001– What SLiRP actually does: Given a stream of packets,

create sockets and send the data in the packets into the sockets

• SLiRP was Userspace NAT– Where to find SLiRP: Recent versions … uh …

disappeared.• Found in my “ancient cool stuff” archive

SLIRP and PPTP

• PoPToP: Linux PPTP Daemon– PPTP: Horrifyingly hideous VPN protocol, ultimately

uses a PPP encapsulated stream of packets– PoPToP can hand this PPP stream to SLiRP for

termination• Makes setting up a VPN link much easier• Makes VPN’ing into a web browser possible.

• Normally, SLiRP would now handle sockets directly– What if, instead, it gave the socket requests to Slirpie?

The General Idea

• The Attacker runs applications that use sockets.• The sockets get their traffic sent over PPTP to SLIRP.• SLIRP provides a set of streams to the Proxy.• The Proxy tells the Browser’s bucket to open appropriate

suckets.• The Browser opens suckets, which themselves provide

sockets.• The Proxy mediates traffic between the Attacker’s sockets

and the Browser’s sockets.• And it all just works.

– Nessus over IE: Nessie!– WoW over IE: Wowie!– Any TCP-based protocol should work.

Impacts

• 1) Corporate firewalls are bypassable via lured browsers– Special case: Home router management interfaces

are now fully exposed to every web page• 2) Every browser is a proxy

– No botnet necessary – just view this ad– Every browser can send SPAM

• SMTP• HTTP• IM

– Every browser can proxy Click Fraud

This is expensive ($1B to Google)

Other Attacks

• “Stealth Tor”– Nothing wrong with Tor, but consent is a good thing– People can be forced to be exit nodes for proxy networks

• Protect Network Neutrality• P2P Networking

– Java gives us UDP– UDP sockets are simultaneously clients and servers– May be able to repurpose rebindable UDP sockets for

P2P in stock browser• There’s more…

IP OVER SPAM

• Defcon 14, TCP/IP Drinking Game– “How would you get around the great firewall of

China?”• “Correct Answer”: Drop all RST packets,

ignore the firewall trying to shut you down• My Answer: Encapsulate data in SPAM.

• We have IP (or at least TCP) inbound• We have SPAM outbound• Uh…

– You know, I was originally joking…

Fixing This: Possible?

• Flash: They’ll be able to fix their arbitrary TCP/UDP.• Java: Unknown, but doesn’t work in IE• Browsers Themselves: Possibly broken forever

– Have to detect that there’s a cross IP script– Have to do something about it

• What can you do? People are using cross-IP scripting (one host, multiple IP’s – Google, Yahoo, etc)

• Need those using cross-IP scripts, to securely opt their addresses into a shared domain

• When can we enforce this? Some point in the long and distant future?

Mitigations [0]• HOST Header Checking

– Same Origin Policy was broken from the start.– Coincidentally, legitimate web browsers send a HOST

header containing the domain the client thinks its talking to

• Used for virtual hosting• “Lets make a security technology out of it!”• Idea: Servers that don’t want to get DNS rebound,

can see that the client is sending it the wrong HOST header

– Can’t work for devices, as devices don’t know their own name

– Does sort of handle click fraud

Mitigations [1]

• External to Internal Routing Checks

– Stop sites on the Internet from routing to targets on the Intranet

– Handles internal devices…sorta

• You have to know what “internal” means

• So, we can sorta fix some servers, and sorta protect some devices

– Browser as router will probably live forever.

– *sighs*

Oh, People Are Interested In This Whole Network Neutrality Thing?

• I…was unaware this was such a hot button subject when I started developing tools to detect problems with it– First of all, we need to start using the correct language:

We wish to detect Provider Hostility• If you’re sniffing my traffic, you’re hostile.• If you’re altering my traffic, you’re hostile.• If you’re censoring my traffic, you’re hostile.• If you’re selling my traffic, you’re very very hostile.• Would the military bomb you for doing it to them?

You’re hostile. Deal.– RST injection, Comcast

What Do We Need To Detect Provider Hostility?

• Downloading data from two separate sites, at two separate speeds, unfortunately doesn’t tell us much– Too many factors are conflated to determine

what one thing is causing the problem• What we want: “Given identical network paths for

two web sites, is the last mile provider hostile to content from one site vs. another?”– Detect differential speeds– Correct content injection

SOMEBODY is buying this stuff

• Everyone who knows anyone who makes routers knows that carriers are desperately trying to buy routers that support hostility.

• There are repeated news articles about ISPs replacing ads and companies setting themselves up as ad replacers

• Can we monitor the spread of this problem?

– Can we defend Online Advertising against the Times Square effect?

The Times Square Effect• Movies that show Times Square replace all the ads.

– No contractual obligation not to– No real expectation from the viewer that this is reality –

it’s a movie• Carriers are under no contractual obligation to host the web

sites they say they are– “Provider In The Middle” attacks might very well be

profitable!• Web sites and ads

– Users tolerate them– Businesses would pay dearly to be top ranked on Google– Google Times Squared would not be…good.

The Transparent Proxy Gem• Some consumer networks have transparent proxies

– These take all traffic outbound on Port 80 and coalesce onto a single proxy instance that uses the Host: header to route requests to the correct destination

– Arbitrary TCP = Arbitrary Headers– So an attacker can go back to the IP address that provided

the applet, and ask for Host: www.fark.com – it’ll get routed to Fark instead of to the original host

• What this means– Since the same infrastructure ultimately hosts all web

content, all sites (once they’re cached in proxy) come from the same host

– A speed test against this “transparent” (easily detectable) proxy for various sites will directly yield information about hostility

The Silent Censor Detector

• Even if there’s no transparent proxy, a filter box can still limit traffic for web requests with non-preferred Host: headers.

• Using Flash, we can impersonate being a Host: for any site on the Internet when we provide a speed check.– The thinking is that the attacker/provider won’t

monitor the IP address used to contact Host: www.whatever.com, and will thus equally rate limit traffic with that Host: no matter what provider.

The Detectability Problem

• In every major networking company, I assume there is a protocol guy as ornery as I am

– “Oh yeah, well I’ll just detect him doing that…this way!”

• Is it possible to build a hostility detection system that uses traffic indistinguishable from real world traffic?

Well…

• We want to spoof sites on the Internet.• We want to know what these sites would see.• We want to be able to respond as if we were these

sites.• We don’t want the real sites to interfere with our

interference.• Good luck! That would require…sequence

numbers.– We’d have to know where in the TCP stream an

attacker was, and that’s clearly not possible…

OMG ACTIVEX FTW

PACKET CLAUS IS COMING TO TOWN

Introducing: INSPECTOR PAKKET

• What normally stops Mallory from pretending to be a random site on the Internet?– Mallory doesn’t know sequence numbers client will

accept– Mallory has to compete with real server for the sending of

data• What do we have?

– A sniffer that will leak sequence numbers to Mallory• What can Mallory now do?

– Send data to the client that it’ll accept– Send a RST to the server so it’ll shut down the

session it has with the client

Go Pakket Go!• About that RST…

– RST is a TCP Reset message – it shuts down a socket rather unceremoniously

• Requires correct SEQ#, but don’t worry, we have that• When Mallory spoofs Bob to Alice, Alice is going to ACK to

Bob– Normally, Bob will send RSTs back to Alice, since there’s

no associated session– Thankfully, Bob is usually running a firewall that long since

shut down its connection for Alice…and so drops all of Alice’s ACKs that have been stimulated by Mallory’s traffic!

• And just to be clear, how is Mallory getting those ACKs?– AJAcks: TCP Acks over AJAX

Go Go Pakket Pwn• ‘The goal is to identify the applications being used on the

network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.’– How creepy is that?

• Against this, given a colluding client, I can:• Impersonate anyone who doesn’t ACK my traffic• Generate arbitrary traffic that is completely

indistinguishable from theirs• Provide deep packet inspectors with a whole new realm

of content to inspect.• I recommend inspecting this information. Deeply.

Conclusions

• DNS Rebinding threatens the boundaries of your network– There are multiple rebinding mechanisms and many

major use cases for each of them; this will not be an easy problem to fix.

– The web could use some real work on its underlying security models

• We may need to consider applying integrity, and perhaps encryption to all web traffic due to provider hostility

• There are mechanisms for detecting such hostility that should be deployable shortly.

[extra slides]

My Process

• Sit down• Relax• Put some music on• Start writing code• Get totally distracted

– Write something completely different than intended

– Find out later why

A Fun Little Distraction• “Dotplots??? WTF!”

– Best feedback I’ve ever gotten • Dotplots are a mechanism for visually analyzing similarity

across a dataset– See last year’s talk for details

• So I decided to port last year’s talk to WinAMP.– I’m listening to music– I like pretty pictures– I should like listening to music that generates pretty

pictures!• Be nice to code something that I’d never show at a security

con!

The Chemical Brothers, “Where Do I Begin”

+30% vs. -30% tempo

LudiVu: Realtime Audio Visualizer

• Images are based directly on spectral similarity– “How similar is what I’m hearing now, to what I’ve heard

for the last n seconds?”• Bass = Red• Midrange = Green• Treble = Blue

– Our auditory system almost certainly does this too• Always good to match what the ear is up to

– Our auditory system almost certain does this better • Amazingly apocalyptically naïve similarity metric!

What We See

• “Visual Hash” of auditory segments, based on mutual similarity/dissimilarity across frequencies– Reflects overall timbre of what we’re hearing

• Vertical lines representing repeated structures in the music– Lines close = Fast Tempo– Lines far away = Slow Tempo

• Tradeoff between visual hash and structure detection– Blur less, get better visual hashing– Blur more, get better structure detection

So Why Is This Here?

• I’m doing web research!• One of my friends, Zane Lackey, knows

AJAX quite well and is in town– We go out for beers.– Me: “So I’m working on this really cool

thing, it makes pictures from sound!”– Zane: “What, for Audio CAPTCHAs?”– Me: “…”

Whatsa CAPTCHA?• CAPTCHA: “Completely Automated Public Turing test to tell

Computers and Humans Apart”• Used to bind access to a resource to the presence of a

human– Web sites use them to suppress bots

• So I get this email, in response to me breaking CAPTCHAs...– “CAPTCHA is quite annoying. I use a few programs to

send "auto-messages" and to "steal friends" from others' pages. They had a way around the CAPTCHA system for a while, but not anymore. Check out www.xxx.com and www.yyy.com. I dunno, I have 5 different accounts, and I add 300 people a day on each one, so imagine - I'm typing 250+ CAPTCHA codes a day on this damn thing. ;)”

AmIHumanOrNot

• The general idea is to use a human’s superior ability at figure/ground separation to differentiate human/machine

• Image Captchas: Text, distorted and overlaid with lines and other non-text shapes– Problem: Blind people can’t get in

• Audio Captchas: Speech, distorted and overlaid with quieter speech– Humans get a 10db boost in perception simply

by paying conscious attention– Problem: Audio is actually easier to hack.

Detecting “8”…

…and “9”

Tips For Building Better Audio CAPTCHAs

• Don’t actually make your speech much louder than your noise

– Easy to sync on regions of high volume

• Expand your vocabulary

– Use a sentence, rather than words in isolation, as we’re much better at parsing them

• Ask a question, perhaps?

– “My name is Bob. How many letters are in my name?”