Successfully reported this slideshow.
copyright IOActive, Inc. 2006, all rights
Director of Penetration Testing
• Well, y’all wanted me stop titling things Black Ops
– Hikari, you got any idea what I’m here talking about?
• What are we not here to talk about
– DNS Rebinding
• Can rebind to home router
• Have video
• Go change passwords.
• Got questions? Find me later.
• So what are we here to talk about?
– What happens when Jason Larsen and I finally get some
time to break some stuff together ;)
– Typos in DNS.
• Relax. It’s worth it.
– Basic profit model
• Humans don’t type so good
• Sometimes miss keys
• When they miss keys, they tell their browser to go
somewhere that doesn’t exist
– Could just get a “No Such Server Error”, or…
– Could get ads!
• Static Registration
– Guess what might get clicked, buy that name
– Must pay per guess, might be wrong
• Dynamic Registration
– Sitefinder by Verisign
• Unveiled in 2003
• Unregistered names suddenly start returning
an ad server, instead of NXDOMAIN
• Reveiled in 2003, never to return
The New Era Of Typosquatting
• Son Of Sitefinder: ISP Injection
– DNS is hierarchal
• Client asks the local name server.
• Local name server asks the root, is sent to .com
• Local name server asks .com, is given NXDOMAIN
– Sitefinder used to inject here…
• Normal: Local name server returns NXDOMAIN to client
– $ nslookup nxdomain--.com 18.104.22.168
*** vnsc-pri.sys.gtei.net can't find nxdomain--.com:
• Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nxdomain--.com 22.214.171.124
Addresses: 126.96.36.199, 188.8.131.52, 184.108.40.206,
220.127.116.11 18.104.22.168, 22.214.171.124
The Problem: They’re Spoofing
• DNS is hierarchal
– Client asks the local name server.
– Local name server asks the root, is sent to .com
– Local name server asks .com, is given foo.com
– Local name server asks foo.com, is given NXDOMAIN
– Normal: Local name server returns NXDOMAIN to client
• nslookup nonexistent.www.bar.com 126.96.36.199
*** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com:
– Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nonexistent.www.bar.com 188.8.131.52
Addresses: 184.108.40.206, 220.127.116.11, 18.104.22.168,
22.214.171.124 126.96.36.199, 188.8.131.52
• NXDOMAIN was supposed to mean “No Such Domain”
– There is such a domain. There’s just not this subdomain in it.
• We don’t think this behavior is intentional
– Just so happens that subdomain
NXDOMAINs look exactly like domain
• Only difference is the source
• Identical effects in the browser
• Well, it’s not unintentional for everyone…
This Should Seem Familiar
Parent Of Son Of Sitefinder Returns!
• April 8th
, becomes clear that Network
Solutions injects subdomains into their
– Small print in a 53 page contract
– Stay classy, NetSol
• But heh, at least there’s a contract
Times Square Effect: Told Ya
• Times Square Effect
– When you see Times Square in a movie,
that’s not Times Square. All ads have
been replaced, because there’s no
contractual obligation not to replace
– No contractual obligation between ISP
and Web Sites not to replace traffic
But What About Trademark Law?
• # dig in.ur.www.facebook.com
• ;; QUESTION SECTION:
• ;in.ur.www.facebook.com. IN A
• ;; ANSWER SECTION:
• in.ur.www.facebook.com™. 300 IN A 184.108.40.206 [adserver]
• in.ur.www.facebook.com™. 300 IN A 220.127.116.11 [adserver]
• in.ur.www.facebook.com™. 300 IN A 18.104.22.168 [adserver]
• in.ur.www.facebook.com™. 300 IN A 22.214.171.124 [adserver]
• in.ur.www.facebook.com™. 300 IN A 126.96.36.199 [adserver]
• in.ur.www.facebook.com™. 300 IN A 188.8.131.52 [adserver]
Doesn’t that qualify as Trademark Violation, with Use In Commerce?
– I don’t know. I’m not a lawyer. The hordes seem to think so, however.
– I am, however, a hacker…
• Trademark Policy: Trust the good, as it possesses the
• Same Origin Policy: Trust the subdomain, as it possesses
the protected domain
– Local Name Server asks bar.com, is sent to
– Local Name Server asks www.bar.com, is told
foo.www.bar.com is at 184.108.40.206
– Foo.www.bar.com was thus “vouched for” by
• Trademark controls human trust, Same Origin controls
browser trust. The two policies are actually synchronized.
– Both are under attack.
• Anything goes wrong on a subdomain, it is an
element of the parent
– Can access cookies
– Can do…other things
• Normally, a subdomain is trusted by its parent…
– But in this case, the subdomain is some
random server run by a bunch of advertisers
– …and if this random server, happened to
possess a cross site scripting vulnerability…
• # curl
– YES IT ACTUALLY PREFACES THE
XSS WITH DNS ERROR I AM NOT
Welcome to Barefruit.
• Popular DNS Ad Injection Company
• Notable customers
– Earthlink/Mindspring -- everywhere
• Outsourced to Earthlink, probably didn’t even know
• No idea how outsourced
– At least partial deployment, probably small. Finder.cox.com
resolves to their servers.
– Trial deployment only
– Has multiple ad networks.
– Barefruit appears to be used in ~20 regions
• Time Warner also does DNS injection, but not through Barefruit
They’re Not Alone
• For each name server, ask for a nonexistent
– For each nameserver that provides an answer,
ask for an existing domain.
– If the answer is correct, it’s an NXDOMAIN
• Appears to be ~72 ISPs doing some sort of
injection. Lots of big names. This is spreading.
Now, this is only a subdomain…what
can you really do with a subdomain?
• Obligatory attack: Grab Cookies
– Credentials to many sites
– PII for some
– Can also get any “supercookies”
• Flash Storage
• DOM Storage
Cookie Grab (Pre)
Cookie Grab (Post)
Can Also Fake Subdomains
• There is no legitimate subdomain
– But a page comes back with arbitrary script…
– So you can populate anything, on any domain,
• Perfect for phishing
• You get a link to your bank, you see in the address
bar, server2.www.yourbank.com, you type credentials
• You see a banner ad to join a beta program at
Microsoft, you click through, download what you think
is the latest build…
– Actually malware
Fake Site (pre)
Fake Site (Post)
Fake Site (Post2)
But That’s Just Not Enough
• Cookie Excuses
– But cookies are often tied to Source IP!
– But cookies can use HTTP Only so they aren’t readable from
– But cookies might be just secure cookies!
• Fake Site Excuses
– But you’re not actually logged in
– You don’t know the content of the site to spoof
• Can we do anything better?
– We’re a malicious subdomain
– Can’t we just script into our parent?
• Pop-under windows: They’re not just for annoying ads
• Document.domain is our friend…
• DOM element that specifically allows children to inject into
Choosing The Demo
• Needed to be generic to all sites
• Needed to express the distance between
what you expected to happen, and what
• Needed to be…recognizable…without
H0h0h0h0…and it ain’t just Facebook
The Associated Press
In Case You’re Curious
• THE LAWYERS ARE NOT AMUSED
• This was only a simulation.
• BAREFRUIT FOREVA!
• We got through to Barefruit before this talk
– Crystal Williams got me through to Earthlink
– Earthlink got me through to Barefruit
– Barefruit fixed the bug in ~27 minutes once they
understood the bug
– All were awesome, thanks!
• All ISP’s were redirecting to Barefruit’s servers, so we’re
OK…or are we?
So Now What
• Barefruit is still injecting into trademarked subdomains.
• The immediate crisis is over, but the security of the web (at these
ISPs) is basically limited by the security of these ad servers
– Don’t attack Facebook, attack the ad server
– Don’t attack MySpace, attack the ad server
– Don’t attack PayPal, attack the ad server
• I am not a lawyer, I am a security engineer
– I cannot secure the web if ISP’s will change the bytes I send
– Need legal and PR support to stop PITMA’s
• Provider In The Middle Attacks
– Brad Hill pointed out that MITM isn’t exactly theoretical
– Neither is Ad Injection
– Luckily, the counsel I’ve spoken to does not appear to be
• Even small amounts of failed net neutrality can lead to
catastrophic side effects on Internet security
– Intent is not required to really break everything
• Security needs the lawyers
– Even if everything was 100% SSL, if the ISP could
require code on the box, they could still bypass the
crypto, and alter the content
– We need the precedent: You can host nothing. You
can host something. But you can’t host something