Your SlideShare is downloading. ×
0
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Dmk neut toor
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Dmk neut toor

2,777

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,777
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. copyright IOActive, Inc. 2006, all rights reserved. h0h0h0h0 Dan Kaminsky Director of Penetration Testing IOActive, Inc.
  • 2. H0h0h0h0? • Well, y’all wanted me stop titling things Black Ops  – Hikari, you got any idea what I’m here talking about? • What are we not here to talk about – DNS Rebinding • Can rebind to home router • Have video • Go change passwords. • Got questions? Find me later. • So what are we here to talk about? – What happens when Jason Larsen and I finally get some time to break some stuff together ;)
  • 3. Typos. • Typos? – Typos in DNS. • Relax. It’s worth it. – Basic profit model • Humans don’t type so good – Fcebook.com – Microsoft.co – Torcon.org • Sometimes miss keys • When they miss keys, they tell their browser to go somewhere that doesn’t exist – Could just get a “No Such Server Error”, or… – Could get ads!
  • 4. Typosquatting • Static Registration – Guess what might get clicked, buy that name – Must pay per guess, might be wrong • Dynamic Registration – Sitefinder by Verisign • Unveiled in 2003 • Unregistered names suddenly start returning an ad server, instead of NXDOMAIN • Reveiled in 2003, never to return
  • 5. The New Era Of Typosquatting • Son Of Sitefinder: ISP Injection – DNS is hierarchal • Client asks the local name server. • Local name server asks the root, is sent to .com • Local name server asks .com, is given NXDOMAIN – Sitefinder used to inject here… • Normal: Local name server returns NXDOMAIN to client – $ nslookup nxdomain--.com 4.2.2.1 *** vnsc-pri.sys.gtei.net can't find nxdomain--.com: Non-existent domain • Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached – $ nslookup nxdomain--.com 207.217.126.81 … Name: nxdomain--.com Addresses: 209.86.66.92, 209.86.66.93, 209.86.66.94, 209.86.66.95 209.86.66.90, 209.86.66.91
  • 6. The Problem: They’re Spoofing Subdomains Too. • DNS is hierarchal – Client asks the local name server. – Local name server asks the root, is sent to .com – Local name server asks .com, is given foo.com – Local name server asks foo.com, is given NXDOMAIN – Normal: Local name server returns NXDOMAIN to client • nslookup nonexistent.www.bar.com 4.2.2.1 *** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com: Non-existent domain – Son Of Sitefinder: Local name server returns NOERROR to client, with ads attached – $ nslookup nonexistent.www.bar.com 207.217.126.81 Name: nonexistent.www.bar.com Addresses: 209.86.66.94, 209.86.66.95, 209.86.66.90, 209.86.66.91 209.86.66.92, 209.86.66.93 • NXDOMAIN was supposed to mean “No Such Domain” – There is such a domain. There’s just not this subdomain in it.
  • 7. Intent • We don’t think this behavior is intentional – Just so happens that subdomain NXDOMAINs look exactly like domain NXDOMAINs • Only difference is the source • Identical effects in the browser • Well, it’s not unintentional for everyone…
  • 8. This Should Seem Familiar
  • 9. Parent Of Son Of Sitefinder Returns! • April 8th , becomes clear that Network Solutions injects subdomains into their customers’ domains – Small print in a 53 page contract – Stay classy, NetSol • But heh, at least there’s a contract
  • 10. Times Square Effect: Told Ya • Times Square Effect – When you see Times Square in a movie, that’s not Times Square. All ads have been replaced, because there’s no contractual obligation not to replace them – No contractual obligation between ISP and Web Sites not to replace traffic
  • 11. But What About Trademark Law? • # dig in.ur.www.facebook.com • ;; QUESTION SECTION: • ;in.ur.www.facebook.com. IN A • ;; ANSWER SECTION: • in.ur.www.facebook.com™. 300 IN A 209.86.66.90 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.91 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.92 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.93 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.94 [adserver] • in.ur.www.facebook.com™. 300 IN A 209.86.66.95 [adserver] • Doesn’t that qualify as Trademark Violation, with Use In Commerce? – I don’t know. I’m not a lawyer. The hordes seem to think so, however. – I am, however, a hacker…
  • 12. Beautiful Synchrony • Trademark Policy: Trust the good, as it possesses the protected mark. • Same Origin Policy: Trust the subdomain, as it possesses the protected domain – Local Name Server asks bar.com, is sent to www.bar.com. – Local Name Server asks www.bar.com, is told foo.www.bar.com is at 1.2.3.4 – Foo.www.bar.com was thus “vouched for” by www.bar.com • Trademark controls human trust, Same Origin controls browser trust. The two policies are actually synchronized. – Both are under attack.
  • 13. Injection • Anything goes wrong on a subdomain, it is an element of the parent – Can access cookies – Can do…other things • Normally, a subdomain is trusted by its parent… – But in this case, the subdomain is some random server run by a bunch of advertisers – …and if this random server, happened to possess a cross site scripting vulnerability…
  • 14. If? • # curl http://in.ur.www.facebook.com/foo<script>alert('x DNS Error: http://in.ur.www.facebook.com/foo<script>alert('x > – YES IT ACTUALLY PREFACES THE XSS WITH DNS ERROR I AM NOT JOKING
  • 15. Welcome to Barefruit. • Popular DNS Ad Injection Company • Notable customers – Earthlink/Mindspring -- everywhere – Comcast • Outsourced to Earthlink, probably didn’t even know • No idea how outsourced – Others • Cox – At least partial deployment, probably small. Finder.cox.com resolves to their servers. • Qwest – Trial deployment only • Verizon – Has multiple ad networks. – Barefruit appears to be used in ~20 regions • Time Warner also does DNS injection, but not through Barefruit
  • 16. They’re Not Alone • For each name server, ask for a nonexistent domain. – For each nameserver that provides an answer, ask for an existing domain. – If the answer is correct, it’s an NXDOMAIN injector • Appears to be ~72 ISPs doing some sort of injection. Lots of big names. This is spreading.
  • 17. Now, this is only a subdomain…what can you really do with a subdomain? • Obligatory attack: Grab Cookies – Credentials to many sites – PII for some – Can also get any “supercookies” • Flash Storage • DOM Storage • etc
  • 18. Cookie Grab (Pre)
  • 19. Cookie Grab (Post)
  • 20. Can Also Fake Subdomains • There is no legitimate subdomain – But a page comes back with arbitrary script… – So you can populate anything, on any domain, anywhere. • Perfect for phishing • You get a link to your bank, you see in the address bar, server2.www.yourbank.com, you type credentials • You see a banner ad to join a beta program at Microsoft, you click through, download what you think is the latest build… – Actually malware 
  • 21. Fake Site (pre)
  • 22. Fake Site (Post)
  • 23. Fake Site (Post2)
  • 24. But That’s Just Not Enough • Cookie Excuses – But cookies are often tied to Source IP! – But cookies can use HTTP Only so they aren’t readable from script! – But cookies might be just secure cookies! • Fake Site Excuses – But you’re not actually logged in – You don’t know the content of the site to spoof • Can we do anything better? – We’re a malicious subdomain – Can’t we just script into our parent? • Pop-under windows: They’re not just for annoying ads anymore • Document.domain is our friend… • DOM element that specifically allows children to inject into parent
  • 25. Choosing The Demo • Needed to be generic to all sites • Needed to express the distance between what you expected to happen, and what actually did • Needed to be…recognizable…without being terrifying.
  • 26. H0h0h0h0…and it ain’t just Facebook
  • 27. MySpace
  • 28. .Mac
  • 29. Apple
  • 30. Microsoft
  • 31. Ebay
  • 32. ToorCon
  • 33. FOX NEWS
  • 34. The Associated Press
  • 35. In Case You’re Curious • THE LAWYERS ARE NOT AMUSED
  • 36. Coming Clean • This was only a simulation. – BFF_DNS.PL • BAREFRUIT FOREVA! • We got through to Barefruit before this talk – Crystal Williams got me through to Earthlink – Earthlink got me through to Barefruit – Barefruit fixed the bug in ~27 minutes once they understood the bug – All were awesome, thanks! • All ISP’s were redirecting to Barefruit’s servers, so we’re OK…or are we?
  • 37. So Now What • Barefruit is still injecting into trademarked subdomains. • The immediate crisis is over, but the security of the web (at these ISPs) is basically limited by the security of these ad servers – Don’t attack Facebook, attack the ad server – Don’t attack MySpace, attack the ad server – Don’t attack PayPal, attack the ad server • I am not a lawyer, I am a security engineer – I cannot secure the web if ISP’s will change the bytes I send – Need legal and PR support to stop PITMA’s • Provider In The Middle Attacks – Brad Hill pointed out that MITM isn’t exactly theoretical anymore…  – Neither is Ad Injection – Luckily, the counsel I’ve spoken to does not appear to be amused.
  • 38. Conclusions • Even small amounts of failed net neutrality can lead to catastrophic side effects on Internet security – Intent is not required to really break everything • Security needs the lawyers – Even if everything was 100% SSL, if the ISP could require code on the box, they could still bypass the crypto, and alter the content – We need the precedent: You can host nothing. You can host something. But you can’t host something else.

×