DNS Rebinding Attacks, Multi-Pin Variant

Morty writes "DNS rebinding attacks can be used by hostile websites to get browsers to attack behind firewalls, or to attack third parties. Browsers use "pinning" to prevent this, but a paper describes so-called multi-pin vulnerabilities that bypass the existing protections. Note that, from a DNS perspective, this is a "feature" rather than an implementation bug, although it's possible that DNS servers could be modified to prevent external sources from being able to point at internal resources."

Re:Ask Slashdot: Pause a running Javascript

http://www.getfirebug.com/

Re:We are now checking your browser...

Not without Javascript you aren't!

The article mentions Java and Flash are problems as well.

Re:We are now checking your browser...

[grcumb]

We are now checking your browser for DNS rebinding vulnerabilities. Not without Javascript you aren't!

Heh, my boy, you just summed up the Web's great affliction in a nutshell.

This particular exploit vector is especially troublesome because turning off the ability to point a name at multiple IPs would break a large part of the Internet. But it wouldn't be an issue for web browsers if we didn't see the need for the Web to be dynamic and interactive. Dynamism and interactivity are really not built into HTTP. It would be more accurate to say that HTTP was designed to be just the opposite.

Website designers and software makers have been trying to turn the Web into a collection of desktop applications since about the time the Web was invented. This runs counter to what Tim Berners Lee intended. HTTP is stateless for a reason. I honestly don't think he made HTTP stateless because he envisioned the havoc that malicious websites could cause, but the principle of agnosticism (i.e. providing content without knowing anything about the requester's capabilities) that's implicit in the protocol is inherently more secure than the desire of many to make websites into remotely-accessed desktop apps.

Unfortunately, this particular horse bolted from the barn in the earliest days of the web, and there's no easy way to get it back in. A wise web developer will nonetheless read and understand the HTTP protocol. Its statelessness and agnosticism can be strengths when considered in the proper light....

...Yeesh, that last sentence makes me feel like Yoda counselling young Luke.... 8^/

Seems they forgot a few things

[linuxkrn]

I did RTFA, and it seems to me they made an oversight in the fact that most ISP/corp sites use a caching DNS server. A repeated lookup to the same domain will return the cached result. Their POC depends on the client doing another lookup and getting a different result. This would attack would depend on the client being able to the attacker's DNS.

Now they do say that the attacker DNS returns more then one A record for each request. But they are ignoring the fact that the serial number of the zone would have to change for a refresh to not get cached. And even if they did create a new zone record for each visit, with the target's IP (seems unlikely), all the servers back to the client would need to respect it. Again, my ISP Qwest, has a bad habit of ignoring the TTL in my zone files.

example 1:

target lookup (T0) -> www.attacker.com
www.attacker.com -> 192.168.0.1

target lookup (T1) -> www.attacker.com
ISP/site cached reply -> 192.168.0.1 (attack failed)

Example 2:
target lookup (T0) -> www.attacker.com
www.attacker.com -> 192.168.0.1

target lookup (T1) -> www2.attacker.com
attacker's ISP cached reply -> 192.168.0.1 (attack failed again)

The only case I can see this working if the zone records contain an IP for some third party source that they want to try and abuse. So say www2.attacker.com points to 10.0.0.1 and that number is static in their zone record. Which appears to be much less efficient zombie scan with IP spoofing.

And finally, this is all dependent on the attacker tricking the client into loading Flash/Java/Javascript from their box. Another win for noscript.

Re:Seems they forgot a few things

[BitZtream]

The zone serial number has nothing to do with this. DNS cache entries, be it on the host, or in caching DNS servers, or the clients primary DNS server are controlled by the TTL setting (Time to live). If you set the TTL to 0, you effectively disable caching across the internet for your domain. You may find some caching servers that won't honor a 0, but they're sure to expire the cache entry pretty quickly and they are few and far between.

Re:Seems they forgot a few things

[afidel]

Your OS cache should not be caching 0 TTLs per RFC1034

Meanwhile back in the real world both OSX and Windows DO ignore 0 TTL's as do many ISP's caching DNS servers. This is one of the things that makes round-robin DNS and ISP cutovers rather hard to plan in the real world. In fact I assume that some worst case ISP's will cache results for 48-72 hours despite a TTL of say 10 minutes.

Re:Seems they forgot a few things

[ACMENEWSLLC]

It seems that it is a given that the host name must stay the same for this to work and that TTL must be very low, per TFA.

So if I modify my DNS cache server to ignor low TTL's and force a minimum TTL of 60 minutes, then I've defeated this issue. Of course, I've also broke external site's ability to do quick fail overs. But that can wait until a browser fix is out.

A browser fix could defeat this by maintaining DNS entries for a period of time. If the DNS changes to RFC1918 from non RFC1918, then prompt the user with a warning about the security issue involved and advise them to not allow the change.

This would not protect against this same attack going out against other sites on the web, though. A hacker could change the DNS to that of eBay and submit a bid through your computer, for example. Since DNS changing often with low TTL is normal, this seems like a complex issue to fully solve.

Re:Bind9

[Morty]

For now, bind9 does not support this. See the relevant thread.

Re:There are far easier ways to exploit people

[Morty]

It still relies on the user going to a malicious website in the first place.

If you read the original article, you will note that they generated exploit stats by utilizing an ad network. You don't need to visit a "bad" website, you just need a "bad" ad while visiting a normal website.

And considering that I've already (after reading the article mind you) changed my DNS servers to not return results matching our internal address range for lookups resolved from external hosts, its ever less useful.

Cool! What server do you use, and how did you configure it to do this?

Re:Backup DNS Servers?

[theGreater]

OpenDNS ( http://www.opendns.com/ ) works pretty well. I typically go internal cache, external ISP, openDNS on my systems. Keeps Windows boxes in line, especially.

-theGreater.

Re:Flashback

[statusbar]

One point placed in the paper:

Current versions of the JVM are not vulnerable to this attack because the Java security policy has been changed. Applets are now restricted to connecting to the IP address from which they were loaded.

if the web browser and applet are connecting to the server via a proxy, then neither the web browser nor the applet have control over "connecting to the same IP address from which they were loaded"

Therefore, if a proxy is involved then current versions of the JVM are still vulnerable.

Fortunately, the paper goes into detail about this later on:

Proxies. If a client uses an HTTP proxy to access the web, these mitigations do not prevent multi-pin attacks using Java applets. Clients using an HTTP proxy request web ob jects by URL, not by IP address.

The irony is that many organizations use proxies to implement both content and virus filtering. The use of these proxies themselves makes their web browsers MORE susceptible to these pinning attacks.

--jeffk++

In about:config

[Ayanami+Rei]

Change dom.max_script_run_time to a smaller (or larger) number of seconds.