Slashdot Mirror
DNS Rebinding Attacks, Multi-Pin Variant
Morty writes "DNS rebinding attacks can be used by hostile websites to get browsers to attack behind firewalls, or to attack third parties. Browsers use "pinning" to prevent this, but a paper describes so-called multi-pin vulnerabilities that bypass the existing protections. Note that, from a DNS perspective, this is a "feature" rather than an implementation bug, although it's possible that DNS servers could be modified to prevent external sources from being able to point at internal resources."
Is this a new FOX special?
I got nothin'
... especially where you can frame someone.
I've got to go, ummm, code up a few things.
it says that it would take 1 second for this to work on firefox and 4 seconds on opera [w/out plugins] although they found a way to fix firefox 2 with a 72-line patch.
Once again, NoScript blocks access to yet another crazy vulnerability.
It may be a pain to use at times, but it sure blocks out a lot of crap. I had to temporarily disable it to get their vulnerability checker to work.
But it's true, most people loooove that javascript. I can't stand it, myself, and only enable it when I absolutely have to.
No java, no javascript, no flash.
Everyone has to start using noscript.
Does anyone know of a way to pause/restart someone else's running Javascript (in Firefox or Safari?) without reloading the page. I mostly browse with JS off, but occasionally turn it on for one site or another. But I'd like to be able to stop/pause JS after it starts (e.g., to pause an CPU-sucking JS animation loop or halt JS on a site where I unintentionally had JS on).
Any ideas? Thanks.
Two wrongs don't make a right, but three lefts do.
Haven't we learned the lesson yet? I learned a decade ago and still sites unnecessarily rely on script for basic functionality.
There's nothing wrong with script, there is something very wrong when users cannot use a site without it. Something like noscript should be built into all browsers by default and bullshit like ASPs __doPostBack purged from the web.
If you haven't read the article, I'll summarize it for you: its another critical vulnerability in java/javascript. The sandboxed script in the web browser alternately makes GET and POST requests the "same" server with each POST containing the contents of the prior GET... Only the IP address associated with the server's hostname keeps alternating between a server inside your firewall and the attacker's real server outside it. Oops.
At times like these, I tell a story about 1988 when I wrote a BBS terminal emulator for the Commodore 64 which cleverly allowed the BBS to send and run new code on the caller's machine. Another gentleman who didn't much like me noticed the feature and arranged for a number of BBS systems to execute the code at location 64738: system reset.
There is no safe way to run complex sandboxed code on a user's PC and no safe way to allow sandboxed code access to the network. Either you trust the source of the program and let it do what it needs to do, or you don't trust it and don't allow it to run on your PC at all. How many of these vulnerabilities are we going to run through before we finally figure that out?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Is this a real threat? If so, how severe is it and how much effort must be expended to fix it?
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
What is "pinning" you may ask? From the linked pdf article, it's the caching of DNS lookups:
But apparently this can be subverted with browser plug-ins, which have a separate "pin database".
Did you read the abstract?
It's well written, and has lots of examples of exactly how this vulnerability can be exploited. In short, I could probably sit down and in a single afternoon, write a set of scripts for a webserver and DNS server, post it on a $30/month "virtual host" server, and take out an ad for $100, and end up with a powerful DDOS attack on my host of choice.
All done in less than 24 hours.
Screw the "cyber-terrorists" in Russia, this is REALLY BIG, and is one of many REALLY BIG problems that can be exploited! And the fact that we're here, reading and posting here, is demonstration of the fact that the many vulnerabilities of the Internet are NOT being exploited to anything like their real potential...
So think about it: while we here at Slashdork might know as many as a dozen exploitable vulnerabilities like this one that would be nearly impossible to close, how many of us have actually DONE any of these?
And that, folks, is why security will NEVER be 100% technical, and there will always be a social mechanism involved - there really is an amazing amount of security in simply knowing that if you do, really bad stuff could really happen to you.
Not will happen, not even likely to happen. Just could happen is enough.
Besides, there's a funny paradox at work here: those who have the skills to pull off an attack like this also have the skills to earn an income that's legitimate, without all the risks. I'm tempted from time to time to make use of my skills in a bad way when I think about how easy it is for me to wreak havoc - but the risks of doing so have always stopped me far short. I enjoy my day job, since its nature is fundamentally altruistic. So I'm harmless.
As a case in point, I was chatting with my flight instructor and a staff member at the local FBO (an airport for small planes) and the staff member mentioned something about an annoying ex-boyfriend who kept calling her.
Without thinking, I mentioned the possibility of writing a quick script to send him 100,000 text messages that would say "Leave me the freak alone!". I imagined a two-line script that would take all of about 10 seconds to write, and I could use the hotspot at the FBO to do it.
100,000 isn't even a particularly big number for me - I routinely deal with datasets in the millions of records - so it didn't really occur to me right away what a blow that would be. But 100,000 times 5 cents adds up to $5,000 worth of text messages! And I'm sure that his cell company would limit the number of messages to be sent, but it's pretty certain that quite a few WOULD get through.
It was surprising to me what a staggering blow this would be. I was actually a bit embarrassed at having mentioned it.
Don't underestimate the power of social mechanisms to ensure our security!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I did RTFA, and it seems to me they made an oversight in the fact that most ISP/corp sites use a caching DNS server. A repeated lookup to the same domain will return the cached result. Their POC depends on the client doing another lookup and getting a different result. This would attack would depend on the client being able to the attacker's DNS.
Now they do say that the attacker DNS returns more then one A record for each request. But they are ignoring the fact that the serial number of the zone would have to change for a refresh to not get cached. And even if they did create a new zone record for each visit, with the target's IP (seems unlikely), all the servers back to the client would need to respect it. Again, my ISP Qwest, has a bad habit of ignoring the TTL in my zone files.
example 1:
target lookup (T0) -> www.attacker.com
www.attacker.com -> 192.168.0.1
target lookup (T1) -> www.attacker.com
ISP/site cached reply -> 192.168.0.1 (attack failed)
Example 2:
target lookup (T0) -> www.attacker.com
www.attacker.com -> 192.168.0.1
target lookup (T1) -> www2.attacker.com
attacker's ISP cached reply -> 192.168.0.1 (attack failed again)
The only case I can see this working if the zone records contain an IP for some third party source that they want to try and abuse. So say www2.attacker.com points to 10.0.0.1 and that number is static in their zone record. Which appears to be much less efficient zombie scan with IP spoofing.
And finally, this is all dependent on the attacker tricking the client into loading Flash/Java/Javascript from their box. Another win for noscript.
"There is no safe way to run complex sandboxed code on a user's PC and no safe way to allow sandboxed code access to the network."
Where can I find lists of DNS servers I can use instead of my cablemodem's default from my ISP? Servers that will let me point at them, that are fast and reliable.
--
make install -not war
The report mentions altering a corporate firewall\\\'s DNS server to refuse to return external results that contain internal IP addresses, but fails to mention how to do this.
Does anyone have a link to a tutorial outlining this for Bind 9?
Here's one that will* work for everyone: 127.0.0.1
*After you set up your own DNS server on the same computer.
There are plenty of other exploits that allow far greater control over all the IE users on the Internet than this. It still relies on the user going to a malicious website in the first place. If you can draw users to that web site, you might as well just fully exploit their browser and get some real code on the machine, then use it rather than bouncing crap around with javascript and constantly changing DNS entries.
And considering that I've already (after reading the article mind you) changed my DNS servers to not return results matching our internal address range for lookups resolved from external hosts, its ever less useful.
I'm glad they've brought this up, and its a hard one to really secure in modern browsers do to the cross-plugin problems, but its certainly not something that worries me. Not nearly as much as the users I have that click on the stupid 'You have a postcard from a neighbor' spams that always manage to get through our spam filters.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
... so that we can redirect links to the paper explaining all to a server that isn't slashdotted...
"Little does he know, but there is no 'I' in 'Idiot'!"
1) run your own nameserver
2) use a new subdomain for every request
3) ???
4) profit
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Have you ever seen a more naive assumption? Tim must have been about the dumbest person ever to be able to program a computer.
Change dom.max_script_run_time to a smaller (or larger) number of seconds.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Multi-Pass!
(Sorry, it was the first thing that came to mind.)
---- Liquid was a patriot ----