copyright IOActive, Inc. 2006, all rights
Black Ops 2007:
Design Reviewing The Web
“Packets Will Be Involved”
Director of Penetration Testing
• This is my seventh talk here at Black Hat, where
previous subjects have included:
– Everything over SSH
– Massive Speed Network Scanning
– Everything over DNS
– Pattern Analysis
– Neutrality Verification
• New Target: The World Wide Web
Where The Wild Things Are
• Rampant and persistent XSS/XSRF announcements
• Superbowl .WMF 0-day
– Two days before Superbowl, malicious image placed on
– 1+M desktops compromised overnight
• DNS Rebinding Test By Dan Boneh’s Team at Stanford
– Test flash applet placed on an Ad network, distributed
across many web sites
– Applet acquired partial network connectivity to client LAN
– +100K networks exposed
These Are A Few Of My Favorite
• DNS…? Tunneling…? Behind Firewalls…?
– “I try to get out, but they pull me back in!”
• DNS Rebinding is an old bug
– Dates back to 1996
– So old, people forgot about it, and started building
systems that didn’t defend against it
• Dan Boneh of Stanford University’s been driving the
most thorough research
– Attack dates back to 1996 (“Princeton Attack”)
– Martin Johns revived the attack in August 2006
– RSnake’s been pushing a lot of attention its way
• Effect: DNS Rebinding partially breaks the security
policy of the web.
How Does The Web Work?
• Web pages are pulled together in the browser,
from pieces that can come from all over the place
– You can even embed one web page inside
• This is an “IFrame”
– But what if someone embedded Hotmail, and
you were logged in? Would they be able to
read your mail?
The Same Origin Policy
• “Look but don’t touch”
– A web page can embed Hotmail, but it can’t “look inside”
to see what’s happening
– Access to “look inside” controlled by Same Origin Policy
– If foo.com has an iframe to foo.com, it can look inside.
– If foo.com has an iframe to bar.com, it can display
bar.com to the user, but it can’t peek inside and see what
the user sees.
• “If two things come from the same place, they must be
trusted the same”
– Same place = Same name, right?
• Names don’t host anything.
• Everything comes from IP addresses
• We use DNS to translate between a name we trust and an IP
address we communicate with
– Foo.com -> 18.104.22.168
– Bar.com -> 22.214.171.124
• Assumption: The translations don’t change
– Reality: Both foo.com and bar.com can return any IP
address, at any time, whether they control that IP or not
• Bar.com can return an IP address of Foo.Com’s
• One moment, bar.com could point to a server in Europe
• The next moment, bar.com could point to the printer down
• Suppose your browser loaded a page from each address
– The content from the European server would be from
– The content from the printer down the hall would also be
– According to the Same Origin Policy, the server in
Europe can do whatever it wants to your printer!
• The server can’t get past your corporate firewall…
• …but it doesn’t need to. It’ll tell your browser what to
do, and your browser will report back with whatever
your printer is up to.
Why The Attack Works
• Browser doesn’t know bar.com from the external
IP is any different from bar.com from the internal
– This is by design
– Major web sites have IP addresses spread
across the world, and resources acquired from
them need to be able to script against one
• Detecting that there’s a cross-IP scripting action
happening is only the beginning – what to do after
that is what people are trying to figure out.
What is the canonical attack here?
• Firewall Bypass
– Most corporate networks draw a significant
distinction between the external network and
the internal network
• Things inside can route out
• Things outside cannot route in
• By bouncing off a lured browser, an attacker
on the outside can access resources on the
Levels of Exploitation
• Level 1: Browser-Only
– One IFrame is from Europe, the other is down the hall.
Same name, so they can script against eachother.
– The Win: Arbitrary HTTP Sites
• Level 2: Web Plugins
– MSXML* / XmlHTTPRequest / Silverlight
– The Win: HTTP + Web Services + Semi-Arbitrary
• Level 3: Socket Plugins
– Flash / Java, though different resources available
– The Win: Everything from L1+L2, plus various degrees
of TCP or UDP access
• Original Target of 1996 Princeton Attack
– From Applet interface, can only get high-port
UDP and TCP to the actual calling app
• More widely deployed than I thought
without going through Applet interface
– Totally rebindable – effect is high-port UDP and
TCP to anyone
– FireFox and Safari only though
• Has worked hardest to make arbitrary socket
connections work when they’re supposed to
– Most mature security model in the industry
– They don’t handle rebinding well though
• Breaks what is otherwise a lot of really good
• Effect: Arbitrary TCP, though you have to pull
some tricks to get TCP ports below 1024
Mechanisms for rebinding an
• Lots of ways to use a rebind, but how do you
achieve it in the first place?
– How do you cause the DNS infrastructure to
accept your change of address?
– The entire architecture is designed to cache
across hours to days, not to be swappable in
• Three mechanisms
Traditional Rebinding: Temporal
• DNS records have a TTL field – lets you declare how long a
record should live in the infrastructure before a second query
causes a new request to the original server
– Declare a 0 TTL and records will supposedly not cache
– Now every time the browser has a slightly different DNS
request, you get an opportunity to provide a different
• Problem: Some networks won’t respect your low TTL.
Some networks brag about that ;)
– You could wait until the network-enforced minimum TTL
expires, but that takes time
Another Rebinding Mechanism:
• DNS responses can contain multiple addresses
• When bar.com is asked for its IP address, it
returns both its address and the address of the
– This can have a infinite TTL
• Problem: Which record will the browser choose?
– Totally random.
• Solution: Try again
Spatial Error Resolution
• Case 1: Browser wants external, gets internal
– Fix 1: External resource is hosted on an unusual port, so
the internal connection will fail and thus retry to external.
This has problems with outbound firewalls, though.
– Fix 2: Immediately after connecting, look for evidence in
the connected session that we’ve actually reached the
correct server. If not, destroy the object that did the
incorrect retrieve and keep trying until success.
• The trick: Retrieve the content with XMLHttpRequest
so that you can actually destroy the object that
• Case 2: Flash/Java wants internal, gets external
– Fix: Look for magic token on incoming session. If magic
token is returned, destroy the object and try again. If no
token, retry the applet a couple times just in case there’s
a extrusion firewall in the way.
• People are trying to use DNS TTLs as a security
• DNS TTL’s are not a security technology
– Finally, something less a security technology
than Virtual Machines
• Overriding a TTL, if you control the record, turns
out to be very easy, and this is by design
– When something wasn’t designed to be a
security technology, don’t be surprised when it
• CNAME Records: DNS Aliases
– Instead of returning an address, return what the
“Canonical”, or Official Name was, and then the
address of that Canonical Name
– If you are allowed to be the resolver for that
canonical name, your additional record
overrides whatever’s already in the cache, even
if the TTL hasn’t expired yet
• It’s not a bug.
• Works against most, but not actually all
• dig 1.foo.notmallory.com
;; ANSWER SECTION:
1.foo.notmallory.com. 120 IN
bar.foo.notmallory.com. 120 IN
• dig bar.foo.notmallory.com
bar.foo.notmallory.com. 111 IN
• dig 2.foo.notmallory.com
IN A 10.0.0.1
• dig bar.foo.notmallory.com
IN A 10.0.0.1
• By swapping addresses out from
underneath a web browser, we can get
arbitrary TCP (and sometimes UDP)
access to hosts reachable by the client.
What can we do with this?
– Can we VPN into corporate networks
with nothing but a lured web browser?
• Sure! It’s easy!*
* Actually a pain in the ass, but heh
• Three actors in this little dance
– The Browser, which has access to internal
– The Attacker, which wants access to those
– The Proxy, which sends code to the Browser to
copy messages from the Attacker
• We will start with the Proxy, running software of
my design. This software is called Slirpie.
Slirpie, The Proxy
• Multiprotocol Server, Built using POE
– Accepts TCP streams for Browser delivery, containing
– Accepts HTTP requests for those routable streams
– Accepts DNS requests to direct routing
– Accepts XMLSocket requests to determine routing policy
• For Flash
• The basic theme is – Attacker connects to Proxy, which
manages the appropriate resources in Browser to
service the Attacker’s connections.
A Bucket of Suckets
• Browser connects, establishes an IFrame called a
– A bucket is a collection of connection managers
– The bucket polls for new connections to establish
• Attacker connects to Proxy and requests a socket to
10.0.0.1, port 80.
• Browser Bucket retrieves list of new connections,
compares against the previous list, notices one new
demand for 10.0.0.1:80.
– Bucket opens up a 2nd
level IFrame for this new IP
• The IFRAME SRC attribute for the 2nd
is set to 10.0.0.1.foo.proxydomain.com. For now, it
still resolves to the Proxy’s address.
– This 2nd
level IFrame is called a “Sucket”.
How many DNS requests does it take to get
to the center of your corporate network?
– HaXe, a metalanguage, is used to compile both a Flash
– The Flash object is loaded, and directed to create a
connection to 10.0.0.1:80
• QUERY ONE: Load the movie from
10.0.0.1.foo.proxyhost.com (actually Proxy’s IP)
• QUERY TWO: Load the security policy controlling <1024
port access from 10.0.0.1.foo.proxyhost.com (still Proxy’s IP)
• ARM THE REBIND: Tell the Proxy to return a different
address with the next query, using a special HTTP query.
• QUERY THREE: Connect to 10.0.0.1.foo.proxyhost.com:80
(now finally returning 10.0.0.1).
– Connection is in the applet loaded by the proxy, using the
• 1) Data is received by Flash – sent down into the
Sucket’s DOM for eventual collection.
• 2) Bucket prepares to send an update to the
Proxy. It visits each Sucket, and retrieves the
latest list of updates.
• 3) Proxy received the update, acknowledges
reception, and sends any replies in the update
• 4) Bucket receives the response, and tells each
Sucket to parse their replies and send() them up
But What Of Domains?
• Each of those IFrames inside the bucket is in a
different domain than the bucket itself.
– Why can they push stuff up, or pull stuff down?
• Same Origin Policy allows two subdomains from
the same domain to explicitly claim support for one
– So we do that.
– Thanks Same Origin Policy!
And that’s it!
• OK, a little bit of housekeeping for opening
and closing sockets, and eventually entire
– Yeah, it’s a reimplementation of TCP in
• …but what about the attacker? How does
he open sockets?
Back In The Day, When I Was Young
I’m Not Runnin’ 95 Anymore
– 1995 era tool that turned shell connections (text only) into
PPP connections (pretty pretty pictures)
– Was old school when I used it in my talk back in 2001
– What SLiRP actually does: Given a stream of packets,
create sockets and send the data in the packets into the
• SLiRP was Userspace NAT
– Where to find SLiRP: Recent versions … uh …
• Found in my “ancient cool stuff” archive
SLIRP and PPTP
• PoPToP: Linux PPTP Daemon
– PPTP: Horrifyingly hideous VPN protocol, ultimately
uses a PPP encapsulated stream of packets
– PoPToP can hand this PPP stream to SLiRP for
• Makes setting up a VPN link much easier
• Makes VPN’ing into a web browser possible.
• Normally, SLiRP would now handle sockets directly
– What if, instead, it gave the socket requests to Slirpie?
The General Idea
• The Attacker runs applications that use sockets.
• The sockets get their traffic sent over PPTP to SLIRP.
• SLIRP provides a set of streams to the Proxy.
• The Proxy tells the Browser’s bucket to open
• The Browser opens suckets, which themselves provide
• The Proxy mediates traffic between the Attacker’s
sockets and the Browser’s sockets.
• And it all just works.
– Nessus over IE: Nessie!
– WoW over IE: Wowie!
– Any TCP-based protocol should work.
What else can we use this for?
• Things other people have mentioned
– Click Fraud – go to random web sites, do bad things
– SPAM – er, you get Port 25 access too
• What else can we do?
– “Stealth Tor” – go to a website, be involuntarily added to
a worldwide proxy network
– Protect Network Neutrality
– P2P Networking?
• Java provides UDP support. Even through NATs,
bidirectional UDP = ability to generate a cloud entirely
in the browser
– That one thing…
IP OVER SPAM
• Defcon 14, TCP/IP Drinking Game
– “How would you get around the great firewall of
• “Correct Answer”: Drop all RST packets,
ignore the firewall trying to shut you down
• My Answer: Encapsulate data in SPAM.
• We have IP (or at least TCP) inbound
• We have SPAM outbound
– You know, I was originally joking…
Oh, People Are Interested In This
Whole Network Neutrality Thing?
• I…was unaware this was such a hot button subject when I
started developing tools to detect problems with it
– First of all, we need to start using the correct language:
We wish to detect Provider Hostility
• If you’re sniffing my traffic, you’re hostile.
• If you’re altering my traffic, you’re hostile.
• If you’re censoring my traffic, you’re hostile.
• If you’re selling my traffic, you’re very very hostile.
• Would the military bomb you for doing it to them?
You’re hostile. Deal.
What Do We Need To Detect Provider
• Downloading data from two separate sites, at two
separate speeds, unfortunately doesn’t tell us
– Too many factors are conflated to determine
what one thing is causing the problem
• What we want: “Given identical network paths for
two web sites, is the last mile provider hostile to
content from one site vs. another?”
– Detect differential speeds
– Correct content injection
SOMEBODY is buying this stuff
• Everyone who knows anyone who makes routers
knows that carriers are desperately trying to buy
routers that support hostility.
• There are repeated news articles about ISPs
replacing ads and companies setting themselves
up as ad replacers
• Can we monitor the spread of this problem?
– Can we defend Online Advertising against
the Times Square effect?
The Times Square Effect
• Movies that show Times Square replace all the ads.
– No contractual obligation not to
– No real expectation from the viewer that this is reality –
it’s a movie
• Carriers are under no contractual obligation to host the web
sites they say they are
– “Provider In The Middle” attacks might very well be
• Web sites and ads
– Users tolerate them
– Businesses would pay dearly to be top ranked on Google
– Google Times Squared would not be…good.
A Modest Proposal For Correcting
• WARNING: This is hideous
• Why the web can’t go 100% SSL/TLS yet
– Ignoring perf, most web sites are aggregated on one
IP, with Host: multiplexing
– SSL/TLS didn’t get an equivalent to the Host: header
to determine which certificate to present until very
recently, and most downlevel clients don’t support
• One idea: We use SSL/TLS only to acquire loaders,
which acquire content from existing CDN mechanism but
refuse to inject into the DOM unless a HMAC or Tiger
Tree check is passed
– Can definitely do from Flash or Silverlight, possibly
from simple AJAX as well
– Building a system to do this, codenamed “NDK”
• “Not DOMokun”
• The commercial people are why we have strong
crypto in the browser in the first place. Thanks
credit card craving commerce people!
• Feds: If you like sniffing traffic, require the
providers to need a warrant before going hostile.
– Ad replacement will spread web crypto like
nothing else ever has.
• Now: Is it possible to get better data regarding the
inevitability of all of this?
The Transparent Proxy Gem
• Some consumer networks have transparent proxies
– These take all traffic outbound on Port 80 and coalesce
onto a single proxy instance that uses the Host: header
to route requests to the correct destination
– Arbitrary TCP = Arbitrary Headers
– So an attacker can go back to the IP address that
provided the applet, and ask for Host: www.fark.com – it’ll
get routed to Fark instead of to the original host
• What this means
– Since the same infrastructure ultimately hosts all
web content, all sites (once they’re cached in proxy)
come from the same host
– A speed test against this “transparent” (easily detectable)
proxy for various sites will directly yield information about
The Silent Censor Detector
• Even if there’s no transparent proxy, a filter box
can still limit traffic for web requests with non-
preferred Host: headers.
• Using Flash, we can impersonate being a Host: for
any site on the Internet when we provide a speed
– The thinking is that the attacker/provider won’t
monitor the IP address used to contact Host:
www.whatever.com, and will thus equally rate
limit traffic with that Host: no matter what
The Detectability Problem
• In every major networking company, I
assume there is a protocol guy as ornery
as I am
– “Oh yeah, well I’ll just detect him doing
• Is it possible to build a hostility detection
system that uses traffic indistinguishable
from real world traffic?
• We want to spoof sites on the Internet.
• We want to know what these sites would see.
• We want to be able to respond as if we were these
• We don’t want the real sites to interfere with our
• Good luck! That would require…sequence
– We’d have to know where in the TCP stream an
attacker was, and that’s clearly not possible…
Introducing: INSPECTOR PAKKET
• What normally stops Mallory from pretending to be a random
site on the Internet?
– Mallory doesn’t know sequence numbers client will
– Mallory has to compete with real server for the sending of
• What do we have?
– A sniffer that will leak sequence numbers to Mallory
• What can Mallory now do?
– Send data to the client that it’ll accept
– Send a RST to the server so it’ll shut down the
session it has with the client
Go Pakket Go!
• About that RST…
– RST is a TCP Reset message – it shuts down a socket
• Requires correct SEQ#, but don’t worry, we have that
• When Mallory spoofs Bob to Alice, Alice is going to ACK to
– Normally, Bob will send RSTs back to Alice, since there’s
no associated session
– Thankfully, Bob is usually running a firewall that long
since shut down its connection for Alice…and so drops
all of Alice’s ACKs that have been stimulated by Mallory’s
• And just to be clear, how is Mallory getting those ACKs?
– AJAcks: TCP Acks over AJAX
Go Go Pakket Pwn
• ‘The goal is to identify the applications being used on the
network, but some of these devices can go much further;
those from a company like Narus, for instance, can look
inside all traffic from a specific IP address, pick out the HTTP
traffic, then drill even further down to capture only traffic
headed to and from Gmail, and can even reassemble emails
as they are typed out by the user.‘
• Given a colluding client, I can:
• Impersonate anyone who doesn’t ACK my traffic
• Generate arbitrary traffic that is completely
indistinguishable from theirs
• Provide deep packet inspectors with a whole new
realm of content to inspect.
• I recommend inspecting this information. Deeply.
• DNS Rebinding threatens the boundaries of your network
– There are multiple rebinding mechanisms and many
major use cases for each of them; this will not be an easy
problem to fix.
– The web could use some real work on its underlying
• We may need to consider applying integrity, and perhaps
encryption to all web traffic due to provider hostility
• There are mechanisms for detecting such hostility that
should be deployable shortly.
• Sit down
• Put some music on
• Start writing code
• Get totally distracted
– Write something completely different
– Find out later why
A Fun Little Distraction
• “Dotplots??? WTF!”
– Best feedback I’ve ever gotten
• Dotplots are a mechanism for visually analyzing similarity
across a dataset
– See last year’s talk for details
• So I decided to port last year’s talk to WinAMP.
– I’m listening to music
– I like pretty pictures
– I should like listening to music that generates pretty
• Be nice to code something that I’d never show at Black Hat!
LudiVu: Realtime Audio Visualizer
• Images are based directly on spectral similarity
– “How similar is what I’m hearing now, to what I’ve heard
for the last n seconds?”
• Bass = Red
• Midrange = Green
• Treble = Blue
– Our auditory system almost certainly does this too
• Always good to match what the ear is up to
– Our auditory system almost certain does this better
• Amazingly apocalyptically naïve similarity metric!
What We See
• “Visual Hash” of auditory segments, based on mutual
similarity/dissimilarity across frequencies
– Reflects overall timbre of what we’re hearing
• Vertical lines representing repeated structures in the music
– Lines close = Fast Tempo
– Lines far away = Slow Tempo
• Tradeoff between visual hash and structure detection
– Blur less, get better visual hashing
– Blur more, get better structure detection
So Why Is This At Black Hat?
• I’m doing web research!
• One of my friends, Zane Lackey, knows
AJAX quite well and is in town
– We go out for beers.
– Me: “So I’m working on this really cool
thing, it makes pictures from sound!”
– Zane: “What, for Audio CAPTCHAs?”
– Me: “…”
• CAPTCHA: “Completely Automated Public Turing test to tell
Computers and Humans Apart”
• Used to bind access to a resource to the presence of a
– Web sites use them to suppress bots
• So I get this email, in response to me breaking CAPTCHAs...
– “CAPTCHA is quite annoying. I use a few programs to
send "auto-messages" and to "steal friends" from others'
pages. They had a way around the CAPTCHA system for
a while, but not anymore. Check out www.xxx.com and
www.yyy.com. I dunno, I have 5 different accounts, and I
add 300 people a day on each one, so imagine - I'm
typing 250+ CAPTCHA codes a day on this damn
• The general idea is to use a human’s superior
ability at figure/ground separation to differentiate
• Image Captchas: Text, distorted and overlaid with
lines and other non-text shapes
– Problem: Blind people can’t get in
• Audio Captchas: Speech, distorted and overlaid
with quieter speech
– Humans get a 10db boost in perception simply
by paying conscious attention
– Problem: Audio is actually easier to hack.
Tips For Building Better Audio
• Don’t actually make your speech much louder than
– Easy to sync on regions of high volume
• Expand your vocabulary
– Use a sentence, rather than words in isolation,
as we’re much better at parsing them
• Ask a question, perhaps?
– “My name is Bob. How many letters are in my