download DMK BO2K7 Web

of 67

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of DMK BO2K7 Web

  • 8/14/2019 DMK BO2K7 Web


    copyright IOActive, Inc. 2006, all rights


    Black Ops 2007:

    Design Reviewing The Web

    AKA:Packets Will Be Involved

    Dan Kaminsky

    Director of Penetration Testing

    IOActive, Inc.

  • 8/14/2019 DMK BO2K7 Web



    This is my seventh talk here at Black Hat, where

    previous subjects have included:

    Everything over SSH Massive Speed Network Scanning

    Everything over DNS

    Pattern Analysis

    Neutrality Verification

    New Target: The World Wide Web


  • 8/14/2019 DMK BO2K7 Web


    Thats Not A Moon, Thats A Web



  • 8/14/2019 DMK BO2K7 Web


    Mobile Too!


  • 8/14/2019 DMK BO2K7 Web


    Where The Wild Things Are Rampant and persistent XSS/XSRF announcements

    Superbowl .WMF 0-day

    Two days before Superbowl, malicious image placed on

    web page

    1+M desktops compromised overnight

    DNS Rebinding Test By Dan Bonehs Team at Stanford

    Test flash applet placed on an Ad network, distributed

    across many web sites Applet acquired partial network connectivity to client LAN

    +100K networks exposed

  • 8/14/2019 DMK BO2K7 Web


    These Are A Few Of My Favorite

    Things DNS? Tunneling? Behind Firewalls?

    I try to get out, but they pull me back in!

    DNS Rebinding is an old bug

    Dates back to 1996

    So old, people forgot about it, and started buildingsystems that didnt defend against it

    Dan Boneh of Stanford Universitys been driving the

    most thorough research Attack dates back to 1996 (Princeton Attack)

    Martin Johns revived the attack in August 2006

    RSnakes been pushing a lot of attention its way

    Effect: DNS Rebinding partially breaks the security

    policy of the web.

  • 8/14/2019 DMK BO2K7 Web


    How Does The Web Work?

    Web pages are pulled together in the browser,

    from pieces that can come from all over the place

    You can even embed one web page insideanother one!

    This is an IFrame

    But what if someone embedded Hotmail, and

    you were logged in? Would they be able to

    read your mail?

  • 8/14/2019 DMK BO2K7 Web


    The Same Origin Policy Look but dont touch

    A web page can embed Hotmail, but it cant look inside

    to see whats happening

    Access to look inside controlled by Same Origin Policy

    If has an iframe to, it can look inside.

    If has an iframe to, it can display to the user, but it cant peek inside and see what

    the user sees.

    If two things come from the same place, they must be

    trusted the same

    Same place = Same name, right?

  • 8/14/2019 DMK BO2K7 Web


    The Bug Names dont host anything.

    Everything comes from IP addresses

    We use DNS to translate between a name we trust and an IP

    address we communicate with -> ->

    Assumption: The translations dont change

    Reality: Both and can return any IPaddress, at any time, whether they control that IP or not can return an IP address of Foo.Coms

  • 8/14/2019 DMK BO2K7 Web


    Now What? One moment, could point to a server in Europe

    The next moment, could point to the printer downthe hall

    Suppose your browser loaded a page from each address The content from the European server would be from

    The content from the printer down the hall would also befrom

    According to the Same Origin Policy, the server inEurope can do whatever it wants to your printer!

    The server cant get past your corporate firewall

    but it doesnt need to. Itll tell your browser what todo, and your browser will report back with whateveryour printer is up to.

  • 8/14/2019 DMK BO2K7 Web


    Why The Attack Works Browser doesnt know from the external

    IP is any different from from the internalIP

    This is by design

    Major web sites have IP addresses spreadacross the world, and resources acquired fromthem need to be able to script against one

    another Detecting that theres a cross-IP scripting action

    happening is only the beginning what to do afterthat is what people are trying to figure out.

  • 8/14/2019 DMK BO2K7 Web


    What is the canonical attack here?

    Firewall Bypass

    Most corporate networks draw a significant

    distinction between the externalnetwork andthe internalnetwork

    Things inside can route out

    Things outside cannot route in

    By bouncing off a lured browser, an attacker

    on the outside can access resources on the


  • 8/14/2019 DMK BO2K7 Web


    Levels of Exploitation Level 1: Browser-Only

    One IFrame is from Europe, the other is down the hall.Same name, so they can script against eachother.

    The Win: Arbitrary HTTP Sites Level 2: Web Plugins

    MSXML* / XmlHTTPRequest / Silverlight

    The Win: HTTP + Web Services + Semi-ArbitraryHeaders

    Level 3: Socket Plugins Flash / Java, though different resources available

    through each

    The Win: Everything from L1+L2, plus various degreesof TCP or UDP access

  • 8/14/2019 DMK BO2K7 Web


    Java Original Target of 1996 Princeton Attack

    From Applet interface, can only get high-port

    UDP and TCP to the actual calling app More widely deployed than I thought


    Ability for Javascript to call Sockets directly,

    without going through Applet interface Totally rebindable effect is high-port UDP and

    TCP to anyone

    FireFox and Safari only though

  • 8/14/2019 DMK BO2K7 Web



    Has worked hardest to make arbitrary socket

    connections work when theyre supposed to

    Most mature security model in the industry They dont handle rebinding well though

    Breaks what is otherwise a lot of really good


    Effect: Arbitrary TCP, though you have to pull

    some tricks to get TCP ports below 1024

  • 8/14/2019 DMK BO2K7 Web


    Mechanisms for rebinding an


    Lots of ways to use a rebind, but how do youachieve it in the first place?

    How do you cause the DNS infrastructure toaccept your change of address?

    The entire architecture is designed to cacheacross hours to days, not to be swappable inseconds

    Three mechanisms Temporal



  • 8/14/2019 DMK BO2K7 Web


    Traditional Rebinding: Temporal


    DNS records have a TTL field lets you declare how long a

    record should live in the infrastructure before a second query

    causes a new request to the original server

    Declare a 0 TTL and records will supposedly not cache Now every time the browser has a slightly different DNS

    request, you get an opportunity to provide a different


    Problem: Some networks wont respect your low TTL.

    Some networks brag about that ;)

    You could wait until the network-enforced minimum TTL

    expires, but that takes time

  • 8/14/2019 DMK BO2K7 Web


    Another Rebinding Mechanism:

    Spatial Modulation

    DNS responses can contain multiple addresses

    When is asked for its IP address, it

    returns both its address and the address of theprinter

    This can have a infinite TTL

    Problem: Which record will the browser choose?

    Totally random.

    Solution: Try again


  • 8/14/2019 DMK BO2K7 Web


    Spatial Error Resolution Case 1: Browser wants external, gets internal

    Fix 1: External resource is hosted on an unusual port, sothe internal connection will fail and thus retry to external.

    This has problems with outbound firewalls, though. Fix 2: Immediately after connecting, look for evidence inthe connected session that weve actually reached thecorrect server. If not, destroy the object that did theincorrect retrieve and keep trying until success.

    The trick: Retrieve the content with XMLHttpRequest

    so that you can actually destroy the object thatguessed incorrectly.

    Case 2: Flash/Java wants internal, gets external

    Fix: Look for magic token on incoming session. If magictoken is returned, destroy the object and try again. If no

    token, retry the applet a couple times just in case theresa extrusion firewall in the way.

  • 8/14/2019 DMK BO2K7 Web


    Ridiculous? People are trying to use DNS TTLs as a security


    DNS TTLs are not a security technology Finally, something less a security technology

    than Virtual Machines

    Overriding a TTL, if you control the record, turns

    out to be very easy, and this is by design When something wasnt designed to be a

    security technology, dont be surprised when it

    isnt one

  • 8/14/2019 DMK BO2K7 Web


    CNiping CNAME Records: DNS Aliases

    Instead of returning an address, return what theCanonical, or Official Name was, and then the

    address of that Canonical Name If you are allowed to be the resolver for that

    canonical name, your additional recordoverrides whatevers already in the cache, even

    if the TTL hasnt expired yet Its not a bug.

    Works against most, but not actually allname servers

  • 8/14/2019