Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
copyright IOActive, Inc. 2006, all rights
Director of Penetration Testing
• Well, y’all wanted me stop titling things Black Ops
– Hikari, you got any idea what I’m here talking about?
• What are we not here to talk about
– DNS Rebinding
• Can rebind to home router
• Have video
• Go change passwords.
• Got questions? Find me later.
• So what are we here to talk about?
– What happens when Jason Larsen and I finally get some
time to break some stuff together ;)
– Typos in DNS.
• Relax. It’s worth it.
– Basic profit model
• Humans don’t type so good
• Sometimes miss keys
• When they miss keys, they tell their browser to go
somewhere that doesn’t exist
– Could just get a “No Such Server Error”, or…
– Could get ads!
• Static Registration
– Guess what might get clicked, buy that name
– Must pay per guess, might be wrong
• Dynamic Registration
– Sitefinder by Verisign
• Unveiled in 2003
• Unregistered names suddenly start returning
an ad server, instead of NXDOMAIN
• Reveiled in 2003, never to return
The New Era Of Typosquatting
• Son Of Sitefinder: ISP Injection
– DNS is hierarchal
• Client asks the local name server.
• Local name server asks the root, is sent to .com
• Local name server asks .com, is given NXDOMAIN
– Sitefinder used to inject here…
• Normal: Local name server returns NXDOMAIN to client
– $ nslookup nxdomain--.com 220.127.116.11
*** vnsc-pri.sys.gtei.net can't find nxdomain--.com:
• Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nxdomain--.com 18.104.22.168
Addresses: 22.214.171.124, 126.96.36.199, 188.8.131.52,
184.108.40.206 220.127.116.11, 18.104.22.168
The Problem: They’re Spoofing
• DNS is hierarchal
– Client asks the local name server.
– Local name server asks the root, is sent to .com
– Local name server asks .com, is given foo.com
– Local name server asks foo.com, is given NXDOMAIN
– Normal: Local name server returns NXDOMAIN to client
• nslookup nonexistent.www.bar.com 22.214.171.124
*** vnsc-pri.sys.gtei.net can't find nonexistent.www.bar.com:
– Son Of Sitefinder: Local name server returns NOERROR to
client, with ads attached
– $ nslookup nonexistent.www.bar.com 126.96.36.199
Addresses: 188.8.131.52, 184.108.40.206, 220.127.116.11,
18.104.22.168 22.214.171.124, 126.96.36.199
• NXDOMAIN was supposed to mean “No Such Domain”
– There is such a domain. There’s just not this subdomain in it.
• We don’t think this behavior is intentional
– Just so happens that subdomain
NXDOMAINs look exactly like domain
• Only difference is the source
• Identical effects in the browser
• Well, it’s not unintentional for everyone…
Parent Of Son Of Sitefinder Returns!
• April 8th
, becomes clear that Network
Solutions injects subdomains into their
– Small print in a 53 page contract
– Stay classy, NetSol
• But heh, at least there’s a contract
Times Square Effect: Told Ya
• Times Square Effect
– When you see Times Square in a movie,
that’s not Times Square. All ads have
been replaced, because there’s no
contractual obligation not to replace
– No contractual obligation between ISP
and Web Sites not to replace traffic
But What About Trademark Law?
• # dig in.ur.www.facebook.com
• ;; QUESTION SECTION:
• ;in.ur.www.facebook.com. IN A
• ;; ANSWER SECTION:
• in.ur.www.facebook.com™. 300 IN A 188.8.131.52 [adserver]
• in.ur.www.facebook.com™. 300 IN A 184.108.40.206 [adserver]
• in.ur.www.facebook.com™. 300 IN A 220.127.116.11 [adserver]
• in.ur.www.facebook.com™. 300 IN A 18.104.22.168 [adserver]
• in.ur.www.facebook.com™. 300 IN A 22.214.171.124 [adserver]
• in.ur.www.facebook.com™. 300 IN A 126.96.36.199 [adserver]
Doesn’t that qualify as Trademark Violation, with Use In Commerce?
– I don’t know. I’m not a lawyer. The hordes seem to think so, however.
– I am, however, a hacker…
• Trademark Policy: Trust the good, as it possesses the
• Same Origin Policy: Trust the subdomain, as it possesses
the protected domain
– Local Name Server asks bar.com, is sent to
– Local Name Server asks www.bar.com, is told
foo.www.bar.com is at 188.8.131.52
– Foo.www.bar.com was thus “vouched for” by
• Trademark controls human trust, Same Origin controls
browser trust. The two policies are actually synchronized.
– Both are under attack.
• Anything goes wrong on a subdomain, it is an
element of the parent
– Can access cookies
– Can do…other things
• Normally, a subdomain is trusted by its parent…
– But in this case, the subdomain is some
random server run by a bunch of advertisers
– …and if this random server, happened to
possess a cross site scripting vulnerability…
• # curl
– YES IT ACTUALLY PREFACES THE
XSS WITH DNS ERROR I AM NOT
Welcome to Barefruit.
• Popular DNS Ad Injection Company
• Notable customers
– Earthlink/Mindspring -- everywhere
• Outsourced to Earthlink, probably didn’t even know
• No idea how outsourced
– At least partial deployment, probably small. Finder.cox.com
resolves to their servers.
– Trial deployment only
– Has multiple ad networks.
– Barefruit appears to be used in ~20 regions
• Time Warner also does DNS injection, but not through Barefruit
They’re Not Alone
• For each name server, ask for a nonexistent
– For each nameserver that provides an answer,
ask for an existing domain.
– If the answer is correct, it’s an NXDOMAIN
• Appears to be ~72 ISPs doing some sort of
injection. Lots of big names. This is spreading.
Now, this is only a subdomain…what
can you really do with a subdomain?
• Obligatory attack: Grab Cookies
– Credentials to many sites
– PII for some
– Can also get any “supercookies”
• Flash Storage
• DOM Storage
Can Also Fake Subdomains
• There is no legitimate subdomain
– But a page comes back with arbitrary script…
– So you can populate anything, on any domain,
• Perfect for phishing
• You get a link to your bank, you see in the address
bar, server2.www.yourbank.com, you type credentials
• You see a banner ad to join a beta program at
Microsoft, you click through, download what you think
is the latest build…
– Actually malware
But That’s Just Not Enough
• Cookie Excuses
– But cookies are often tied to Source IP!
– But cookies can use HTTP Only so they aren’t readable from
– But cookies might be just secure cookies!
• Fake Site Excuses
– But you’re not actually logged in
– You don’t know the content of the site to spoof
• Can we do anything better?
– We’re a malicious subdomain
– Can’t we just script into our parent?
• Pop-under windows: They’re not just for annoying ads
• Document.domain is our friend…
• DOM element that specifically allows children to inject into
Choosing The Demo
• Needed to be generic to all sites
• Needed to express the distance between
what you expected to happen, and what
• Needed to be…recognizable…without
In Case You’re Curious
• THE LAWYERS ARE NOT AMUSED
• This was only a simulation.
• BAREFRUIT FOREVA!
• We got through to Barefruit before this talk
– Crystal Williams got me through to Earthlink
– Earthlink got me through to Barefruit
– Barefruit fixed the bug in ~27 minutes once they
understood the bug
– All were awesome, thanks!
• All ISP’s were redirecting to Barefruit’s servers, so we’re
OK…or are we?
So Now What
• Barefruit is still injecting into trademarked subdomains.
• The immediate crisis is over, but the security of the web (at these
ISPs) is basically limited by the security of these ad servers
– Don’t attack Facebook, attack the ad server
– Don’t attack MySpace, attack the ad server
– Don’t attack PayPal, attack the ad server
• I am not a lawyer, I am a security engineer
– I cannot secure the web if ISP’s will change the bytes I send
– Need legal and PR support to stop PITMA’s
• Provider In The Middle Attacks
– Brad Hill pointed out that MITM isn’t exactly theoretical
– Neither is Ad Injection
– Luckily, the counsel I’ve spoken to does not appear to be
• Even small amounts of failed net neutrality can lead to
catastrophic side effects on Internet security
– Intent is not required to really break everything
• Security needs the lawyers
– Even if everything was 100% SSL, if the ISP could
require code on the box, they could still bypass the
crypto, and alter the content
– We need the precedent: You can host nothing. You
can host something. But you can’t host something
Be the first to like this
Number of Embeds
You have now unlocked unlimited access to 20M+ documents!
Learn faster and smarter from top experts
Download to take your learnings offline and on the go
You also get free access to Scribd!
Instant access to millions of ebooks, audiobooks, magazines, podcasts and more.
Read and listen offline with any device.
Free access to premium services like Tuneln, Mubi and more.