Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007...
-
Upload
lorin-wilkinson -
Category
Documents
-
view
220 -
download
0
Transcript of Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007...
Protecting Browsers from DNS Rebinding AttacksProtecting Browsers from DNS Rebinding Attacks
Collin Jackson, Adam Barth, Andrew Bortz Collin Jackson, Adam Barth, Andrew Bortz
ACM CCS 2007ACM CCS 2007
2008. 11. 13.2008. 11. 13.Systems Modeling & Simulation Lab.Systems Modeling & Simulation Lab.
Kim Jeong HoonKim Jeong Hoon
2 of 15
OutlineOutline
1. Introduction1. Introduction
2. Network access in the browsers2. Network access in the browsers
3. DNS rebinding vulnerabilities3. DNS rebinding vulnerabilities
4. Attacks using DNS rebinding4. Attacks using DNS rebinding
5. Defense against rebinding5. Defense against rebinding
6. Conclusion6. Conclusion
3 of 15
Introduction (1)Introduction (1)
DNS rebinding attack DNS rebinding attack Exploit DNS rebinding vulnerabilityExploit DNS rebinding vulnerability
Subert the same-origin policy of browsers Subert the same-origin policy of browsers Exploit the interaction between browsers and their plug-insExploit the interaction between browsers and their plug-ins Circumvent firewallsCircumvent firewalls Sending spam e-mailSending spam e-mail Defrauding pay-per-click advertisersDefrauding pay-per-click advertisers
Two servers belong to the same origin Two servers belong to the same origin Share a host nameShare a host name
4 of 15
Network Access in the browsersNetwork Access in the browsers
Same-origin policy Same-origin policy Provides partial resource isolation by restricting access according to Provides partial resource isolation by restricting access according to
originorigin
Access within same origin Access within same origin Both content and browser scripts can read and write using the HTTP Both content and browser scripts can read and write using the HTTP
protocolprotocol Plug-ins can access network sockets directlyPlug-ins can access network sockets directly
Access between different origins Access between different origins Content from one origin can make HTTP requests to servers in Content from one origin can make HTTP requests to servers in
another originanother origin
Prohibited access Prohibited access Some types of network access are prohibited even within the same Some types of network access are prohibited even within the same
originorigin
5 of 15
DNS Rebinding vulnerabilities(1)DNS Rebinding vulnerabilities(1)
Standard rebinding vulnerabilities Standard rebinding vulnerabilities Single browser to connect to multiple IP with the same host nameSingle browser to connect to multiple IP with the same host name Multiple A recordsMultiple A records
Indicating the IP addresses of the hostIndicating the IP addresses of the host Confuse the security policy of the JVMConfuse the security policy of the JVM
Time-Varying DNSTime-Varying DNS
The origin attack on Java was extendedThe origin attack on Java was extended
Pinning in current BrowsersPinning in current Browsers
Browsers defend against the standard rebinding attack by “pinning” host Browsers defend against the standard rebinding attack by “pinning” host
names to IPnames to IP
Flash 9Flash 9
The Flash plug-in permits the socket connections to the targetThe Flash plug-in permits the socket connections to the target
6 of 15
DNS Rebinding vulnerabilities(2)DNS Rebinding vulnerabilities(2)
Multi-Pin Vulnerability Multi-Pin Vulnerability Multiple technologies maintain separate DNS pinMultiple technologies maintain separate DNS pin Java : JVM maintains DNS pins separately from the browserJava : JVM maintains DNS pins separately from the browser
LiveConnect LiveConnect Browser pins to the attack’s IPBrowser pins to the attack’s IP JVM pins to the target’s IP JVM pins to the target’s IP
Applets with proxies Applets with proxies Client uses an HTTP proxy : JVM requests the applet by host nameClient uses an HTTP proxy : JVM requests the applet by host name Another DNS resolver involved the proxy : pins to the target’s IP Another DNS resolver involved the proxy : pins to the target’s IP
Relative paths Relative paths If a server hosts an HTML page that embeds an applet using relative pathIf a server hosts an HTML page that embeds an applet using relative path
FlashFlash When the attacker’s movie attempts to open a socket, When the attacker’s movie attempts to open a socket,
Flash does a second DNS resolution and would pin to the target’s IP Flash does a second DNS resolution and would pin to the target’s IP
7 of 15
Attacks using DNS rebinding (1)Attacks using DNS rebinding (1)
Firewall circumvention Firewall circumvention To access machines behind firewalls that the attacker cannot access To access machines behind firewalls that the attacker cannot access
directlydirectly Spidering the IntranetSpidering the Intranet
Intranet host names are often guessable and occasionally disclosed publiclyIntranet host names are often guessable and occasionally disclosed publicly If the server responds with an HTML page, the attacker can follow links and If the server responds with an HTML page, the attacker can follow links and
search forms on that pagesearch forms on that page
Compromising unpatched machinesCompromising unpatched machines
Network administrators often do not patch internal machinesNetwork administrators often do not patch internal machines The attacks against the client itself originate from localhost and so bypass The attacks against the client itself originate from localhost and so bypass
software firewalls and other security checkssoftware firewalls and other security checks
Abusing Internal Open ServicesAbusing Internal Open Services
Network printers often accept print jobs from internal machines without Network printers often accept print jobs from internal machines without additional authenicationadditional authenication
The attacker can use direct socket access to command network printers to The attacker can use direct socket access to command network printers to exhaust their toner and paper suppliesexhaust their toner and paper supplies
8 of 15
Attacks using DNS rebinding (2)Attacks using DNS rebinding (2)
IP HijackingIP Hijacking To access publicly available servers from the client’s IPTo access publicly available servers from the client’s IP Committing Click FraudCommitting Click Fraud
Advertisers can drain competitor’s bugets by clicking on their Advertisers can drain competitor’s bugets by clicking on their advertisements.advertisements.
Fraudulent pulishers can increase their advertising revenue by generating Fraudulent pulishers can increase their advertising revenue by generating fake clicksfake clicks Sending SpamSending Spam
By hijacking a client’s IP, an attacker can send spam from IP with clean By hijacking a client’s IP, an attacker can send spam from IP with clean reputations (SMTP servers)reputations (SMTP servers)
Defeating IP-based AuthenicationDefeating IP-based Authenication
After hijacking an authorized IP address, the attacker can access the service,After hijacking an authorized IP address, the attacker can access the service, defeating the authenication mechanismdefeating the authenication mechanism
Framing ClientsFraming Clients
An attacker who hijacks an IP can perform misdeeds and frame the clientAn attacker who hijacks an IP can perform misdeeds and frame the client
9 of 15
ExperimentExperiment
Methodology Methodology Tested DNS rebinding by running Tested DNS rebinding by running
a Flash 9 advertisementa Flash 9 advertisement Two machines : attacker, targetTwo machines : attacker, target
Attacker : DNS, Flash policy, Apache web serverAttacker : DNS, Flash policy, Apache web server Target : Apache web serverTarget : Apache web server
Required only that the client view the adRequired only that the client view the ad
Results Results Received 50,951 impressions from Received 50,951 impressions from
44,924 unique IP addresses44,924 unique IP addresses Ran the rebinding experiment Ran the rebinding experiment
on the 44,301 impressions (86.9%)on the 44,301 impressions (86.9%) Successful on 30,636(60.1%) Successful on 30,636(60.1%)
impressions and 27,480 unique IPimpressions and 27,480 unique IP
10 of 15
Defense against rebinding (1)Defense against rebinding (1)
Fixing Firewall Circumvention Fixing Firewall Circumvention By filtering packets at the firewall or by modifying the DNS resolvers By filtering packets at the firewall or by modifying the DNS resolvers
used by clients on the networkused by clients on the network EnterpriseEnterprise
A firewall administrator for an organization can force all internal machines A firewall administrator for an organization can force all internal machines to use a DNS server that is configured not to resolve external names to to use a DNS server that is configured not to resolve external names to internal IP. (300 line C program, internal IP. (300 line C program, dnswalldnswall)) ConsumerConsumer
Many consumer firewalls can be augmented with dnswall to block DNS Many consumer firewalls can be augmented with dnswall to block DNS responses that contain private IPresponses that contain private IP
SoftwareSoftware Software firewalls can prevent their own circumvention by blocking DNS Software firewalls can prevent their own circumvention by blocking DNS
resolutions to 127.*.*.*resolutions to 127.*.*.*
11 of 15
Defense against rebinding (2)Defense against rebinding (2)
Fixing Plug-ins Fixing Plug-ins FlashFlash
Flash could fix most of its rebinding vulnerabilities by considering a policyFlash could fix most of its rebinding vulnerabilities by considering a policy valid for a socket connection only if it obtained the policy from the same IPvalid for a socket connection only if it obtained the policy from the same IP addressaddress and from the same host nameand from the same host name
JavaJava A safer approach is to use the CONNECT method, which provides a proxied A safer approach is to use the CONNECT method, which provides a proxied
socket connection to an external machine socket connection to an external machine
Java LiveConnectJava LiveConnect If the browser implements pinning, LiveConnect and the browser will use a If the browser implements pinning, LiveConnect and the browser will use a
common pin database, removing multi-pin vulnerabilities common pin database, removing multi-pin vulnerabilities
12 of 15
Defense against rebinding (3)Defense against rebinding (3)
Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Checking Host HeaderChecking Host Header
User agents include a Host Header in HTTP requestsUser agents include a Host Header in HTTP requests Reject incoming HTTP requests with unexpected Host headers Reject incoming HTTP requests with unexpected Host headers
Finer-grained OriginsFiner-grained Origins RefineRefine origins to include additional information (server’s IP, public key)origins to include additional information (server’s IP, public key) When the attacker rebinds When the attacker rebinds attack.comattack.com to the target, the browser will consider to the target, the browser will consider
the rebound host name to be a new originthe rebound host name to be a new origin
Smarter PinningSmarter Pinning If a host name resolved to 171.64.78.10, the client would also accept any IP If a host name resolved to 171.64.78.10, the client would also accept any IP
beginning with 171.64.78 for that host name beginning with 171.64.78 for that host name
13 of 15
Defense against rebinding (4)Defense against rebinding (4)
Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Policy-based PinningPolicy-based Pinning
Browsers consult server-supplied policies to determine when it is safe to re-Browsers consult server-supplied policies to determine when it is safe to re- pin a host name from one IP to another, providing robustness without pin a host name from one IP to another, providing robustness without degrading security degrading security
Pinning PitfallsPinning Pitfalls Common Pin Database Common Pin Database
Cache : objects in the cache must be retrieved by both URL and originatingCache : objects in the cache must be retrieved by both URL and originating IPIP
document.domain = document.domain;document.domain = document.domain;
Browser vendors appear reluctant to expose such an interface and pinning in Browser vendors appear reluctant to expose such an interface and pinning in the OS either changes the semantics of DNS for other applicationthe OS either changes the semantics of DNS for other application
14 of 15
Defense against rebinding (5)Defense against rebinding (5)
Fixing Browser (Default-Allow Sockets) Fixing Browser (Default-Allow Sockets) Host Name AuthorizationHost Name Authorization
Trusted Policy ProvidersTrusted Policy Providers Clients and DNS resolvers can also check policy by querying a trusted policy Clients and DNS resolvers can also check policy by querying a trusted policy
providerprovider Trusted policy providers can greatly reduce the false positive rateTrusted policy providers can greatly reduce the false positive rate
For host names with multiple IP addresses, only authrized IP should beFor host names with multiple IP addresses, only authrized IP should be included in the resultincluded in the result ex) *.auth.ip.in-addr.arpa ex) *.auth.ip.in-addr.arpa
15 of 15
ConclusionConclusion
An Attacker can exploit DNS rebinding vulnerabilities An Attacker can exploit DNS rebinding vulnerabilities Circumvent firewal Circumvent firewal Hijack IP addressesHijack IP addresses
Policy-based pinning Policy-based pinning Host name autherizationHost name autherization
Propose two defense options Propose two defense options
Deploy these defenses quickly before attackers exploit DNS rebinding on Deploy these defenses quickly before attackers exploit DNS rebinding on a large scale a large scale
Vendors and network administrators Vendors and network administrators