SlideShare a Scribd company logo

DNS Rebinding Attack

Felipe Japm
Felipe Japm

This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.

Related slideshows

NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
1 of 23
Download to read offline
Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007
THANK YOU! QUESTIONS?!

More Related Content

DNS Rebinding Attack

  • 1. Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
  • 2. Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
  • 3. Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
  • 4. Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
  • 5. Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
  • 6. How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
  • 7. How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
  • 8. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
  • 9. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
  • 10. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
  • 11. Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
  • 12. Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
  • 13. Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
  • 14. Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
  • 15. Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
  • 16. Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
  • 17. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
  • 18. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
  • 19. Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
  • 20. Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
  • 21. Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
  • 22. References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007