copyright IOActive, Inc. 2006, all rights reserved.

h0h0h0h0

Dan KaminskyDirector of Penetration Testing

IOActive, Inc.

H0h0h0h0?

• Well, y’all wanted me stop titling things Black Ops – Hikari, you got any idea what I’m here talking about?

• What are we not here to talk about– DNS Rebinding

• Can rebind to home router• Have video• Go change passwords.• Got questions? Find me later.

• So what are we here to talk about?– What happens when Jason Larsen and I finally get some

time to break some stuff together ;)

Typos.• Typos?

– Typos in DNS.• Relax. It’s worth it.

– Basic profit model• Humans don’t type so good

– Fcebook.com– Microsoft.co– Torcon.org

• Sometimes miss keys• When they miss keys, they tell their browser to go

somewhere that doesn’t exist– Could just get a “No Such Server Error”, or…– Could get ads!

Typosquatting

• Static Registration– Guess what might get clicked, buy that name– Must pay per guess, might be wrong

• Dynamic Registration– Sitefinder by Verisign

• Unveiled in 2003• Unregistered names suddenly start returning

an ad server, instead of NXDOMAIN• Reveiled in 2003, never to return

The New Era Of Typosquatting• Son Of Sitefinder: ISP Injection

– DNS is hierarchal• Client asks the local name server.• Local name server asks the root, is sent to .com• Local name server asks .com, is given NXDOMAIN

– Sitefinder used to inject here…• Normal: Local name server returns NXDOMAIN to client

– $ nslookup nxdomain--.com 4.2.2.1*** vnsc-pri.sys.gtei.net can't find nxdomain--.com: Non-existent domain

• Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached

– $ nslookup nxdomain--.com 207.217.126.81…Name: nxdomain--.comAddresses: 209.86.66.92, 209.86.66.93, 209.86.66.94, 209.86.66.95 209.86.66.90, 209.86.66.91

The Problem: They’re Spoofing Subdomains Too.

• DNS is hierarchal– Client asks the local name server.– Local name server asks the root, is sent to .com– Local name server asks .com, is given foo.com– Local name server asks foo.com, is given NXDOMAIN– Normal: Local name server returns NXDOMAIN to client

• nslookup nonexistent.www.bar.com 4.2.2.1*** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com: Non-existent domain

– Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached

– $ nslookup nonexistent.www.bar.com 207.217.126.81Name: nonexistent.www.bar.comAddresses: 209.86.66.94, 209.86.66.95, 209.86.66.90, 209.86.66.91 209.86.66.92, 209.86.66.93

• NXDOMAIN was supposed to mean “No Such Domain”– There is such a domain. There’s just not this subdomain in it.

Intent

• We don’t think this behavior is intentional

– Just so happens that subdomain NXDOMAINs look exactly like domain NXDOMAINs

• Only difference is the source

• Identical effects in the browser

• Well, it’s not unintentional for everyone…

This Should Seem Familiar

Parent Of Son Of Sitefinder Returns!

• April 8th, becomes clear that Network Solutions injects subdomains into their customers’ domains

– Small print in a 53 page contract

– Stay classy, NetSol

• But heh, at least there’s a contract

Times Square Effect: Told Ya

• Times Square Effect

– When you see Times Square in a movie, that’s not Times Square. All ads have been replaced, because there’s no contractual obligation not to replace them

– No contractual obligation between ISP and Web Sites not to replace traffic

But What About Trademark Law?

• # dig in.ur.www.facebook.com• ;; QUESTION SECTION:• ;in.ur.www.facebook.com. IN A• ;; ANSWER SECTION:• in.ur.www.facebook.com™. 300 IN A 209.86.66.90 [adserver]• in.ur.www.facebook.com™. 300 IN A 209.86.66.91 [adserver]• in.ur.www.facebook.com™. 300 IN A 209.86.66.92 [adserver]• in.ur.www.facebook.com™. 300 IN A 209.86.66.93 [adserver]• in.ur.www.facebook.com™. 300 IN A 209.86.66.94 [adserver]• in.ur.www.facebook.com™. 300 IN A 209.86.66.95 [adserver]•

Doesn’t that qualify as Trademark Violation, with Use In Commerce?– I don’t know. I’m not a lawyer. The hordes seem to think so, however.– I am, however, a hacker…

Beautiful Synchrony• Trademark Policy: Trust the good, as it possesses the

protected mark.• Same Origin Policy: Trust the subdomain, as it possesses

the protected domain– Local Name Server asks bar.com, is sent to

www.bar.com.– Local Name Server asks www.bar.com, is told

foo.www.bar.com is at 1.2.3.4– Foo.www.bar.com was thus “vouched for” by

www.bar.com• Trademark controls human trust, Same Origin controls

browser trust. The two policies are actually synchronized.– Both are under attack.

Injection

• Anything goes wrong on a subdomain, it is an element of the parent– Can access cookies– Can do…other things

• Normally, a subdomain is trusted by its parent…– But in this case, the subdomain is some

random server run by a bunch of advertisers

– …and if this random server, happened to possess a cross site scripting vulnerability…

If?

• # curl http://in.ur.www.facebook.com/foo<script>alert('xss')</script>

DNS Error: http://in.ur.www.facebook.com/foo<script>alert('xss')</script>– YES IT ACTUALLY PREFACES THE

XSS WITH DNS ERROR I AM NOTJOKING

Welcome to Barefruit. • Popular DNS Ad Injection Company• Notable customers

– Earthlink/Mindspring -- everywhere– Comcast

• Outsourced to Earthlink, probably didn’t even know• No idea how outsourced

– Others• Cox

– At least partial deployment, probably small. Finder.cox.com resolves to their servers.

• Qwest– Trial deployment only

• Verizon– Has multiple ad networks.– Barefruit appears to be used in ~20 regions

• Time Warner also does DNS injection, but not through Barefruit

They’re Not Alone

• For each name server, ask for a nonexistent domain.

– For each nameserver that provides an answer, ask for an existing domain.

– If the answer is correct, it’s an NXDOMAIN injector

• Appears to be ~72 ISPs doing some sort of injection. Lots of big names. This is spreading.

Now, this is only a subdomain…what can you really do with a subdomain?

• Obligatory attack: Grab Cookies

– Credentials to many sites

– PII for some

– Can also get any “supercookies”

• Flash Storage

• DOM Storage

• etc

Cookie Grab (Pre)

Cookie Grab (Post)

Can Also Fake Subdomains

• There is no legitimate subdomain– But a page comes back with arbitrary script…– So you can populate anything, on any domain,

anywhere.• Perfect for phishing• You get a link to your bank, you see in the address

bar, server2.www.yourbank.com, you type credentials• You see a banner ad to join a beta program at

Microsoft, you click through, download what you think is the latest build…

– Actually malware

Fake Site (pre)

Fake Site (Post)

Fake Site (Post2)

But That’s Just Not Enough• Cookie Excuses

– But cookies are often tied to Source IP!– But cookies can use HTTP Only so they aren’t readable from script!– But cookies might be just secure cookies!

• Fake Site Excuses– But you’re not actually logged in– You don’t know the content of the site to spoof

• Can we do anything better?– We’re a malicious subdomain– Can’t we just script into our parent?

• Pop-under windows: They’re not just for annoying ads anymore• Document.domain is our friend… • DOM element that specifically allows children to inject into

parent

Choosing The Demo

• Needed to be generic to all sites

• Needed to express the distance between what you expected to happen, and what actually did

• Needed to be…recognizable…without being terrifying.

H0h0h0h0…and it ain’t just Facebook

MySpace

.Mac

Apple

Microsoft

Ebay

ToorCon

FOX NEWS

The Associated Press

In Case You’re Curious

• THE LAWYERS ARE NOT AMUSED

Coming Clean

• This was only a simulation.– BFF_DNS.PL

• BAREFRUIT FOREVA!• We got through to Barefruit before this talk

– Crystal Williams got me through to Earthlink– Earthlink got me through to Barefruit– Barefruit fixed the bug in ~27 minutes once they

understood the bug– All were awesome, thanks!

• All ISP’s were redirecting to Barefruit’s servers, so we’re OK…or are we?

So Now What• Barefruit is still injecting into trademarked subdomains.• The immediate crisis is over, but the security of the web (at these

ISPs) is basically limited by the security of these ad servers– Don’t attack Facebook, attack the ad server– Don’t attack MySpace, attack the ad server– Don’t attack PayPal, attack the ad server

• I am not a lawyer, I am a security engineer– I cannot secure the web if ISP’s will change the bytes I send– Need legal and PR support to stop PITMA’s

• Provider In The Middle Attacks– Brad Hill pointed out that MITM isn’t exactly theoretical

anymore… – Neither is Ad Injection

– Luckily, the counsel I’ve spoken to does not appear to be amused.

Conclusions

• Even small amounts of failed net neutrality can lead to catastrophic side effects on Internet security

– Intent is not required to really break everything

• Security needs the lawyers

– Even if everything was 100% SSL, if the ISP could require code on the box, they could still bypass the crypto, and alter the content

– We need the precedent: You can host nothing. You can host something. But you can’t host something else.