Dmk neut toor
Embed Size (px)
Transcript of Dmk neut toor
- 1. copyright IOActive, Inc. 2006, all rights reserved. h0h0h0h0 Dan Kaminsky Director of Penetration Testing IOActive, Inc.
2. H0h0h0h0? Well, yall wanted me stop titling things Black Ops Hikari, you got any idea what Im here talking about? What are we not here to talk about DNS Rebinding Can rebind to home router Have video Go change passwords. Got questions? Find me later. So what are we here to talk about? What happens when Jason Larsen and I finally get some time to break some stuff together ;) 3. Typos. Typos? Typos in DNS. Relax. Its worth it. Basic profit model Humans dont type so good Fcebook.com Microsoft.co Torcon.org Sometimes miss keys When they miss keys, they tell their browser to go somewhere that doesnt exist Could just get a No Such Server Error, or Could get ads! 4. Typosquatting Static Registration Guess what might get clicked, buy that name Must pay per guess, might be wrong Dynamic Registration Sitefinder by Verisign Unveiled in 2003 Unregistered names suddenly start returning an ad server, instead of NXDOMAIN Reveiled in 2003, never to return 5. The New Era Of Typosquatting Son Of Sitefinder: ISP Injection DNS is hierarchal Client asks the local name server. Local name server asks the root, is sent to .com Local name server asks .com, is given NXDOMAIN Sitefinder used to inject here Normal: Local name server returns NXDOMAIN to client $ nslookup nxdomain--.com 184.108.40.206 *** vnsc-pri.sys.gtei.net can't find nxdomain--.com: Non-existent domain Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached $ nslookup nxdomain--.com 220.127.116.11 Name: nxdomain--.com Addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 184.108.40.206, 220.127.116.11 6. The Problem: Theyre Spoofing Subdomains Too. DNS is hierarchal Client asks the local name server. Local name server asks the root, is sent to .com Local name server asks .com, is given foo.com Local name server asks foo.com, is given NXDOMAIN Normal: Local name server returns NXDOMAIN to client nslookup nonexistent.www.bar.com 18.104.22.168 *** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com: Non-existent domain Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached $ nslookup nonexistent.www.bar.com 22.214.171.124 Name: nonexistent.www.bar.com Addresses: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 18.104.22.168, 22.214.171.124 NXDOMAIN was supposed to mean No Such Domain There is such a domain. Theres just not this subdomain in it. 7. Intent We dont think this behavior is intentional Just so happens that subdomain NXDOMAINs look exactly like domain NXDOMAINs Only difference is the source Identical effects in the browser Well, its not unintentional for everyone 8. This Should Seem Familiar 9. Parent Of Son Of Sitefinder Returns! April 8th , becomes clear that Network Solutions injects subdomains into their customers domains Small print in a 53 page contract Stay classy, NetSol But heh, at least theres a contract 10. Times Square Effect: Told Ya Times Square Effect When you see Times Square in a movie, thats not Times Square. All ads have been replaced, because theres no contractual obligation not to replace them No contractual obligation between ISP and Web Sites not to replace traffic 11. But What About Trademark Law? # dig in.ur.www.facebook.com ;; QUESTION SECTION: ;in.ur.www.facebook.com. IN A ;; ANSWER SECTION: in.ur.www.facebook.com. 300 IN A 126.96.36.199 [adserver] in.ur.www.facebook.com. 300 IN A 188.8.131.52 [adserver] in.ur.www.facebook.com. 300 IN A 184.108.40.206 [adserver] in.ur.www.facebook.com. 300 IN A 220.127.116.11 [adserver] in.ur.www.facebook.com. 300 IN A 18.104.22.168 [adserver] in.ur.www.facebook.com. 300 IN A 22.214.171.124 [adserver] Doesnt that qualify as Trademark Violation, with Use In Commerce? I dont know. Im not a lawyer. The hordes seem to think so, however. I am, however, a hacker 12. Beautiful Synchrony Trademark Policy: Trust the good, as it possesses the protected mark. Same Origin Policy: Trust the subdomain, as it possesses the protected domain Local Name Server asks bar.com, is sent to www.bar.com. Local Name Server asks www.bar.com, is told foo.www.bar.com is at 126.96.36.199 Foo.www.bar.com was thus vouched for by www.bar.com Trademark controls human trust, Same Origin controls browser trust. The two policies are actually synchronized. Both are under attack. 13. Injection Anything goes wrong on a subdomain, it is an element of the parent Can access cookies Can doother things Normally, a subdomain is trusted by its parent But in this case, the subdomain is some random server run by a bunch of advertisers and if this random server, happened to possess a cross site scripting vulnerability 14. If? # curl http://in.ur.www.facebook.com/foo