Dmk Bo2 K7 Web

Click here to load reader

download Dmk Bo2 K7 Web

of 67

  • date post

  • Category


  • view

  • download


Embed Size (px)


extracted from

Transcript of Dmk Bo2 K7 Web

  • 1. Black Ops 2007: Design Reviewing The Web AKA: Packets Will Be Involved Dan Kaminsky Director of Penetration Testing IOActive, Inc. copyright IOActive, Inc. 2006, all rights reserved.

2. Introduction

  • This is myseventhtalk here at Black Hat, where previous subjects have included:
    • Everything over SSH
    • Massive Speed Network Scanning
    • Everything over DNS
    • Pattern Analysis
    • Neutrality Verification
  • New Target:The World Wide Web
    • Why?

3. Thats Not A Moon, Thats A Web Browser

    • LucasFilm

4. Mobile Too!

    • LucasFilm

5. Where The Wild Things Are

  • Rampant and persistent XSS/XSRF announcements
  • Superbowl .WMF 0-day
    • Two days before Superbowl, malicious image placed on web page
    • 1+M desktops compromised overnight
  • DNS Rebinding Test By Dan Bonehs Team at Stanford
    • Test flash applet placed on an Ad network, distributed across many web sites
    • Applet acquired partial network connectivity to client LAN
    • +100K networks exposed

6. These Are A Few Of My Favorite Things

  • DNS?Tunneling?Behind Firewalls?
    • I try to get out, but they pull me back in!
  • DNS Rebinding is anoldbug
    • Dates back to 1996
    • So old, people forgot about it, and started building systems that didnt defend against it
  • Dan Boneh of Stanford Universitys been driving the most thorough research
    • Attack dates back to 1996 (Princeton Attack)
    • Martin Johns revived the attack in August 2006
    • RSnakes been pushing a lot of attention its way
  • Effect:DNS Rebinding partially breaks the security policy of the web.

7. How Does The Web Work?

  • Web pages are pulled together in the browser, from pieces that can come from all over the place
    • You can even embed one web page inside another one!
      • This is an IFrame
    • But what if someone embedded Hotmail, and you were logged in?Would they be able to read your mail?

8. The Same Origin Policy

  • Look but dont touch
    • A web page can embed Hotmail, but it cant look inside to see whats happening
    • Access to look inside controlled by Same Origin Policy
    • If has an iframe to, it can look inside.
    • If has an iframe to, it can display to the user, but it cant peek inside and see what the user sees.
  • If two things come from the same place, they must be trusted the same
    • Same place = Same name, right?

9. The Bug

  • Names dont host anything.
  • Everything comes from IP addresses
  • We use DNS to translate between a name we trust and an IP address we communicate with
    • ->
    • ->
  • Assumption:The translations dont change
    • Reality:Both and can return any IP address, at any time, whether they control that IP or not
      • can return an IP address of Foo.Coms

10. Now What?

  • One moment, could point to a server in Europe
  • The next moment, could point to the printer down the hall
  • Suppose your browser loaded a page from each address
    • The content from the European server would be from
    • The content from the printer down the hall wouldalsobe from
    • According to the Same Origin Policy, the server in Europe can do whatever it wants to your printer!
      • The server cant get past your corporate firewall
      • but it doesnt need to.Itll tell your browser what to do, and your browser will report back with whatever your printer is up to.

11. Why The Attack Works

  • Browser doesnt know from the external IP is any different from from the internal IP
    • This isby design
    • Major web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another
  • Detectingthat theres a cross-IP scripting action happening is only the beginning what to do after that is what people are trying to figure out.

12. What is the canonical attack here?

  • Firewall Bypass
    • Most corporate networks draw a significant distinction between theexternalnetwork and theinternalnetwork
      • Things inside can route out
      • Things outside cannot route in
  • By bouncing off a lured browser, an attacker on the outside can access resources on the inside

13. Levels of Exploitation

  • Level 1:Browser-Only
    • One IFrame is from Europe, the other is down the hall.Same name, so they can script against eachother.
    • The Win:Arbitrary HTTP Sites
  • Level 2: Web Plugins
    • MSXML* / XmlHTTPRequest / Silverlight
    • The Win: HTTP + Web Services + Semi-Arbitrary Headers
  • Level 3: Socket Plugins
    • Flash / Java, though different resources available through each
    • The Win:Everything from L1+L2, plus various degrees of TCP or UDP access

14. Java

  • Original Target of 1996 Princeton Attack
    • From Applet interface, can only get high-port UDP and TCP to the actual calling app
  • More widely deployed than I thought
  • LiveConnect
    • Ability for Javascript to call Sockets directly, without going through Applet interface
    • Totally rebindable effect is high-port UDP and TCP to anyone
    • FireFox and Safari only though

15. Flash

  • Has worked hardest to make arbitrary socket connections work when theyre supposed to
    • Most mature security model in the industry
    • They dont handle rebinding well though
      • Breaks what is otherwise a lot of really good work
  • Effect:Arbitrary TCP, though you have to pull some tricks to get TCP ports below 1024

16. Mechanisms for rebinding an address

  • Lots of ways tousea rebind, but how do you achieve it in the first place?
    • How do you cause the DNS infrastructure to accept your change of address?
    • The entire architecture is designed to cache across hours to days, not to be swappable in seconds
  • Three mechanisms
    • Temporal
    • Spatial
    • Ridiculous

17. Traditional Rebinding:Temporal Modulation

  • DNS records have a TTL field lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original server
    • Declare a 0 TTL and records will supposedly not cache
    • Now every time the browser has a slightly different DNS request, you get an opportunity to provide a different location
  • Problem:Some networks wont respect your low TTL.Some networksbragabout that ;)
    • You could wait until the network-enforced minimum TTL expires, but that takes time

18. Another Rebinding Mechanism:Spatial Modulation

  • DNS responses can contain multiple addresses
  • When is asked for its IP address, it returnsbothits addressandthe address of the printer
    • This can have a infinite TTL
  • Problem:Which record will the browser choose?
    • Totally random.
  • Solution:Try again
    • Seriously.

19. Spatial Error Resolution

  • Case 1:Browser wants external, gets internal
    • Fix 1: External resource is hosted on an unusua