Dmk bo2 k7_web

Click here to load reader

download Dmk bo2 k7_web

of 67

  • date post

    29-Nov-2014
  • Category

    Documents

  • view

    2.943
  • download

    3

Embed Size (px)

description

 

Transcript of Dmk bo2 k7_web

  • copyright IOActive, Inc. 2006, all rights reserved.Black Ops 2007:Design Reviewing The Web

    AKA:Packets Will Be Involved

    Dan KaminskyDirector of Penetration TestingIOActive, Inc.

    copyright IOActive, Inc. 2006, all rights reserved.

  • IntroductionThis is my seventh talk here at Black Hat, where previous subjects have included:Everything over SSHMassive Speed Network ScanningEverything over DNSPattern AnalysisNeutrality VerificationNew Target: The World Wide WebWhy?

    copyright IOActive, Inc. 2006, all rights reserved.

  • Thats Not A Moon, Thats A Web Browser LucasFilm

    copyright IOActive, Inc. 2006, all rights reserved.

  • Mobile Too! LucasFilm

    copyright IOActive, Inc. 2006, all rights reserved.

  • Where The Wild Things AreRampant and persistent XSS/XSRF announcementsSuperbowl .WMF 0-dayTwo days before Superbowl, malicious image placed on web page1+M desktops compromised overnightDNS Rebinding Test By Dan Bonehs Team at StanfordTest flash applet placed on an Ad network, distributed across many web sitesApplet acquired partial network connectivity to client LAN+100K networks exposed

    copyright IOActive, Inc. 2006, all rights reserved.

  • These Are A Few Of My Favorite ThingsDNS? Tunneling? Behind Firewalls?I try to get out, but they pull me back in!DNS Rebinding is an old bugDates back to 1996So old, people forgot about it, and started building systems that didnt defend against itDan Boneh of Stanford Universitys been driving the most thorough researchAttack dates back to 1996 (Princeton Attack)Martin Johns revived the attack in August 2006RSnakes been pushing a lot of attention its wayEffect: DNS Rebinding partially breaks the security policy of the web.

    copyright IOActive, Inc. 2006, all rights reserved.

  • How Does The Web Work?Web pages are pulled together in the browser, from pieces that can come from all over the placeYou can even embed one web page inside another one!This is an IFrameBut what if someone embedded Hotmail, and you were logged in? Would they be able to read your mail?

    copyright IOActive, Inc. 2006, all rights reserved.

  • The Same Origin PolicyLook but dont touchA web page can embed Hotmail, but it cant look inside to see whats happeningAccess to look inside controlled by Same Origin PolicyIf foo.com has an iframe to foo.com, it can look inside.If foo.com has an iframe to bar.com, it can display bar.com to the user, but it cant peek inside and see what the user sees.If two things come from the same place, they must be trusted the sameSame place = Same name, right?

    copyright IOActive, Inc. 2006, all rights reserved.

  • The BugNames dont host anything.Everything comes from IP addressesWe use DNS to translate between a name we trust and an IP address we communicate withFoo.com -> 1.2.3.4Bar.com -> 3.4.5.6Assumption: The translations dont changeReality: Both foo.com and bar.com can return any IP address, at any time, whether they control that IP or notBar.com can return an IP address of Foo.Coms

    copyright IOActive, Inc. 2006, all rights reserved.

  • Now What?One moment, bar.com could point to a server in EuropeThe next moment, bar.com could point to the printer down the hallSuppose your browser loaded a page from each addressThe content from the European server would be from bar.comThe content from the printer down the hall would also be from bar.comAccording to the Same Origin Policy, the server in Europe can do whatever it wants to your printer!The server cant get past your corporate firewallbut it doesnt need to. Itll tell your browser what to do, and your browser will report back with whatever your printer is up to.

    copyright IOActive, Inc. 2006, all rights reserved.

  • Why The Attack WorksBrowser doesnt know bar.com from the external IP is any different from bar.com from the internal IPThis is by designMajor web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one anotherDetecting that theres a cross-IP scripting action happening is only the beginning what to do after that is what people are trying to figure out.

    copyright IOActive, Inc. 2006, all rights reserved.

  • What is the canonical attack here?Firewall BypassMost corporate networks draw a significant distinction between the external network and the internal networkThings inside can route outThings outside cannot route inBy bouncing off a lured browser, an attacker on the outside can access resources on the inside

    copyright IOActive, Inc. 2006, all rights reserved.

  • Levels of ExploitationLevel 1: Browser-OnlyOne IFrame is from Europe, the other is down the hall. Same name, so they can script against eachother.The Win: Arbitrary HTTP SitesLevel 2: Web PluginsMSXML* / XmlHTTPRequest / SilverlightThe Win: HTTP + Web Services + Semi-Arbitrary HeadersLevel 3: Socket PluginsFlash / Java, though different resources available through eachThe Win: Everything from L1+L2, plus various degrees of TCP or UDP access

    copyright IOActive, Inc. 2006, all rights reserved.

  • JavaOriginal Target of 1996 Princeton AttackFrom Applet interface, can only get high-port UDP and TCP to the actual calling appMore widely deployed than I thoughtLiveConnectAbility for Javascript to call Sockets directly, without going through Applet interfaceTotally rebindable effect is high-port UDP and TCP to anyoneFireFox and Safari only though

    copyright IOActive, Inc. 2006, all rights reserved.

  • FlashHas worked hardest to make arbitrary socket connections work when theyre supposed toMost mature security model in the industryThey dont handle rebinding well thoughBreaks what is otherwise a lot of really good work Effect: Arbitrary TCP, though you have to pull some tricks to get TCP ports below 1024

    copyright IOActive, Inc. 2006, all rights reserved.

  • Mechanisms for rebinding an addressLots of ways to use a rebind, but how do you achieve it in the first place?How do you cause the DNS infrastructure to accept your change of address?The entire architecture is designed to cache across hours to days, not to be swappable in secondsThree mechanismsTemporalSpatialRidiculous

    copyright IOActive, Inc. 2006, all rights reserved.

  • Traditional Rebinding: Temporal ModulationDNS records have a TTL field lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original serverDeclare a 0 TTL and records will supposedly not cacheNow every time the browser has a slightly different DNS request, you get an opportunity to provide a different locationProblem: Some networks wont respect your low TTL. Some networks brag about that ;)You could wait until the network-enforced minimum TTL expires, but that takes time

    copyright IOActive, Inc. 2006, all rights reserved.

  • Another Rebinding Mechanism: Spatial ModulationDNS responses can contain multiple addressesWhen bar.com is asked for its IP address, it returns both its address and the address of the printerThis can have a infinite TTLProblem: Which record will the browser choose?Totally random. Solution: Try againSeriously.

    copyright IOActive, Inc. 2006, all rights reserved.

  • Spatial Error ResolutionCase 1: Browser wants external, gets internalFix 1: External resource is hosted on an unusual port, so the internal connection will fail and thus retry to external. This has problems with outbound firewalls, though.Fix 2: Immediately after connecting, look for evidence in the connected session that weve actually reached the correct server. If not, destroy the object that did the incorrect retrieve and keep trying until success.The trick: Retrieve the content with XMLHttpRequest so that you can actually destroy the object that guessed incorrectly.Case 2: Flash/Java wants internal, gets externalFix: Look for magic token on incoming session. If magic token is returned, destroy the object and try again. If no token, retry the applet a couple times just in case theres a extrusion firewall in the way.

    copyright IOActive, Inc. 2006, all rights reserved.

  • Ridiculous?People are trying to use DNS TTLs as a security technologyDNS TTLs are not a security technologyFinally, something less a security technology than Virtual Machines Overriding a TTL, if you control the record, turns out to be very easy, and this is by designWhen something wasnt designed to be a security technology, dont be surprised when it isnt one

    copyright IOActive, Inc. 2006, all rights reserved.

  • CNipingCNAME Records: DNS AliasesInstead of returning an address, return what the Canonical, or Official Name was, and then the address of that Canonical NameIf you are allowed to be the resolver for that canonical name, your additional record overrides whatevers already in the cache, even if the TTL hasnt expired yetIts not a bug.Works against most, but not actually all name servers

    copyright IOActive, Inc. 2006, all rights reserved.

  • CNiping Demo[0]dig 1.foo.notmallory.com ;; ANSWER SECTION: 1.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com bar.foo.notmallory.com. 120 IN A 10.0.0.0dig bar.foo.notmallory.com bar.foo.notmallory.com. 111 IN A 10.0.0.0

    copyright IOActive, Inc. 2006, all rights reserved.

  • CNiping Demo[1]dig 2.foo.notmallory.com 2.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com. bar.foo.notmallory.com. 120 IN A 10.0.0.1dig bar.foo.notmallory.com bar.foo.notmallory.com. 118 IN A 10.0.0.1

    copyright IOActive, Inc. 2006, all rights reserved.

  • ReviewBy swapping addresses out from underneath a we