Dmk Bo2 K7 Web
Click here to load reader
Embed Size (px)
Transcript of Dmk Bo2 K7 Web
- 1. Black Ops 2007: Design Reviewing The Web AKA: Packets Will Be Involved Dan Kaminsky Director of Penetration Testing IOActive, Inc. copyright IOActive, Inc. 2006, all rights reserved.
- This is myseventhtalk here at Black Hat, where previous subjects have included:
- Everything over SSH
- Massive Speed Network Scanning
- Everything over DNS
- Pattern Analysis
- Neutrality Verification
- New Target:The World Wide Web
3. Thats Not A Moon, Thats A Web Browser
4. Mobile Too!
5. Where The Wild Things Are
- Rampant and persistent XSS/XSRF announcements
- Superbowl .WMF 0-day
- Two days before Superbowl, malicious image placed on web page
- 1+M desktops compromised overnight
- DNS Rebinding Test By Dan Bonehs Team at Stanford
- Test flash applet placed on an Ad network, distributed across many web sites
- Applet acquired partial network connectivity to client LAN
- +100K networks exposed
6. These Are A Few Of My Favorite Things
- DNS?Tunneling?Behind Firewalls?
- I try to get out, but they pull me back in!
- DNS Rebinding is anoldbug
- Dates back to 1996
- So old, people forgot about it, and started building systems that didnt defend against it
- Dan Boneh of Stanford Universitys been driving the most thorough research
- Attack dates back to 1996 (Princeton Attack)
- Martin Johns revived the attack in August 2006
- RSnakes been pushing a lot of attention its way
- Effect:DNS Rebinding partially breaks the security policy of the web.
7. How Does The Web Work?
- Web pages are pulled together in the browser, from pieces that can come from all over the place
- You can even embed one web page inside another one!
- This is an IFrame
- But what if someone embedded Hotmail, and you were logged in?Would they be able to read your mail?
8. The Same Origin Policy
- Look but dont touch
- A web page can embed Hotmail, but it cant look inside to see whats happening
- Access to look inside controlled by Same Origin Policy
- If foo.com has an iframe to foo.com, it can look inside.
- If foo.com has an iframe to bar.com, it can display bar.com to the user, but it cant peek inside and see what the user sees.
- If two things come from the same place, they must be trusted the same
- Same place = Same name, right?
9. The Bug
- Names dont host anything.
- Everything comes from IP addresses
- We use DNS to translate between a name we trust and an IP address we communicate with
- Foo.com -> 188.8.131.52
- Bar.com -> 184.108.40.206
- Assumption:The translations dont change
- Reality:Both foo.com and bar.com can return any IP address, at any time, whether they control that IP or not
- Bar.com can return an IP address of Foo.Coms
10. Now What?
- One moment, bar.com could point to a server in Europe
- The next moment, bar.com could point to the printer down the hall
- Suppose your browser loaded a page from each address
- The content from the European server would be from bar.com
- The content from the printer down the hall wouldalsobe from bar.com
- According to the Same Origin Policy, the server in Europe can do whatever it wants to your printer!
- The server cant get past your corporate firewall
- but it doesnt need to.Itll tell your browser what to do, and your browser will report back with whatever your printer is up to.
11. Why The Attack Works
- Browser doesnt know bar.com from the external IP is any different from bar.com from the internal IP
- This isby design
- Major web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another
- Detectingthat theres a cross-IP scripting action happening is only the beginning what to do after that is what people are trying to figure out.
12. What is the canonical attack here?
- Firewall Bypass
- Most corporate networks draw a significant distinction between theexternalnetwork and theinternalnetwork
- Things inside can route out
- Things outside cannot route in
- By bouncing off a lured browser, an attacker on the outside can access resources on the inside
13. Levels of Exploitation
- Level 1:Browser-Only
- One IFrame is from Europe, the other is down the hall.Same name, so they can script against eachother.
- The Win:Arbitrary HTTP Sites
- Level 2: Web Plugins
- MSXML* / XmlHTTPRequest / Silverlight
- The Win: HTTP + Web Services + Semi-Arbitrary Headers
- Level 3: Socket Plugins
- Flash / Java, though different resources available through each
- The Win:Everything from L1+L2, plus various degrees of TCP or UDP access
- Original Target of 1996 Princeton Attack
- From Applet interface, can only get high-port UDP and TCP to the actual calling app
- More widely deployed than I thought
- Totally rebindable effect is high-port UDP and TCP to anyone
- FireFox and Safari only though
- Has worked hardest to make arbitrary socket connections work when theyre supposed to
- Most mature security model in the industry
- They dont handle rebinding well though
- Breaks what is otherwise a lot of really good work
- Effect:Arbitrary TCP, though you have to pull some tricks to get TCP ports below 1024
16. Mechanisms for rebinding an address
- Lots of ways tousea rebind, but how do you achieve it in the first place?
- How do you cause the DNS infrastructure to accept your change of address?
- The entire architecture is designed to cache across hours to days, not to be swappable in seconds
- Three mechanisms
17. Traditional Rebinding:Temporal Modulation
- DNS records have a TTL field lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original server
- Declare a 0 TTL and records will supposedly not cache
- Now every time the browser has a slightly different DNS request, you get an opportunity to provide a different location
- Problem:Some networks wont respect your low TTL.Some networksbragabout that ;)
- You could wait until the network-enforced minimum TTL expires, but that takes time
18. Another Rebinding Mechanism:Spatial Modulation
- DNS responses can contain multiple addresses
- When bar.com is asked for its IP address, it returnsbothits addressandthe address of the printer
- This can have a infinite TTL
- Problem:Which record will the browser choose?
- Totally random.
- Solution:Try again
19. Spatial Error Resolution
- Case 1:Browser wants external, gets internal
- Fix 1: External resource is hosted on an unusua