Protecting Browsers from DNS
Rebinding Attacks
Collin Jackson , Adam Barth, Andrew Bortz,
Weidong Shao, Dan Boneh



Felip...
Outline


 Introduction
 How DNS Rebinding Works
 DNS Rebinding Vulnerabilities
 Attacks using DNS Rebinding
 Defenses Aga...
Introduction
Browsers and DNS Caching


 Why Browsers cache the DNS?
 Different browsers have different policies mechanism...
Introduction
Browsers Same Origin Policy

 Browser attempts to stop client-side script from different origin
 The policy a...
Introduction
Browsers Same Origin Policy

  Access Within same origin: Plug-ins such as Flash Player
  and Java can access...
How DNS Rebinding Works
      Bob                             www.SE-ROCKS.com




                                       ...
How DNS Rebinding Works
      Bob IP: 10.1.1.2




           Javascript
        // Reconnect to
       www.badguy.com
   ...
DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities

 Multiple A Records

    Multiple IP Address resolves to...
DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities


 Pinning in Current Browsers

  Browser pins host name ...
DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities


 Flash Player 9


   Flash player is installed on 55.8%...
Attacks using DNS Rebinding
Attacks

 Firewall Circumvention

    Spidering the Intranet
    Compromising unpatched machin...
Attacks using DNS Rebinding
Experiment: Recruiting Browsers


    DNS Rebinding was tested running a Flash Player 9 advert...
Attacks using DNS Rebinding
Experiment: Recruiting Browsers


    The attack needed no user click

    The attack results:...
Attacks using DNS Rebinding
Experiment: Recruiting Browsers


    Relevant numbers about the attack:

    1. 50,951 impres...
Defenses Against Rebinding
Fixing Firewall Circumvention

 Enterprise
    Blocking outbound traffic on port 53, a DNS serv...
Defenses Against Rebinding
Fixing Plug-ins

 Flash Player
    A policy based only if obtained for the same IP address and ...
Defenses Against Rebinding
Fixing Browsers (Default-Deny Sockets)

 Checking Host Header

    Accepting only expected Host...
Defenses Against Rebinding
Fixing Browsers (Default-Deny Sockets)




 Smarter Pinning

    Robustness X Security
    Exte...
Defenses Against Rebinding
Fixing Browsers(Default-Deny Sockets)

 Policy-based Pinning

    Browsers consult server-suppl...
Defenses Against Rebinding
Fixing Browsers(Default-Allow Sockets)

 Host Name Authorization

    „Honest Machines“ do not ...
Related Work

Using Browsers as Bots

  Can be used for distributed denial of service attack

Sender Policy Framework

  S...
References

                           [1] Adobe. Adobe Player Penetration.
                           http://www.adobe.co...
THANK YOU!

QUESTIONS?!
Upcoming SlideShare
Loading in …5
×

DNS Rebinding Attack

8,231 views

Published on

DNS Rebinding Attack / Presentation for the Seminar : Current Topics in Software Fault Tolerance

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
8,231
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
128
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DNS Rebinding Attack

  1. 1. Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
  2. 2. Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
  3. 3. Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
  4. 4. Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
  5. 5. Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
  6. 6. How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
  7. 7. How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
  8. 8. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
  9. 9. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
  10. 10. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
  11. 11. Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
  12. 12. Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
  13. 13. Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
  14. 14. Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
  15. 15. Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
  16. 16. Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
  17. 17. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
  18. 18. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
  19. 19. Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
  20. 20. Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
  21. 21. Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
  22. 22. References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007
  23. 23. THANK YOU! QUESTIONS?!

×