Protecting Browsers from DNS Rebinding Attacks Felipe Mattosinho Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh
Dec 05, 2014
Protecting Browsers from DNS Rebinding Attacks
Felipe Mattosinho
Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh
Outline
IntroductionHow DNS Rebinding WorksDNS Rebinding VulnerabilitiesAttacks using DNS RebindingDefenses Against RebindingRelated Work
Introduction
Why Browsers cache the DNS?Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet ExplorerTTL hold the valid time of a dns entryBrowsers „should“ cache until TTL expires
Browsers and DNS Caching
Introduction
Browser attempts to stop client-side script from different originThe policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password databaseSame origin means same protocol, domain name and port numberExamples:
Browsers Same Origin Policy
Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
Introduction
Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly.Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy.Prohibited Access:
Browsers Same Origin Policy
Internet Explorer 7:FTP 21 , SMTP 25, POP3 110, NNTP 119IMAP 143
Firefox 2:FTP 21 , SMTP 25, POP3 110, NNTP 119IMAP 143 + 51 additional ports
Safari 2:Ports are not blocked
How DNS Rebinding WorksBob
Alice
ISP
Win a car
www.SE-ROCKS.com
www.badguy.com
MaliciousJavascript www.badguy.com :
IP: 1.2.3.4 TTL 2s
Javascript// Reconnect to
www.badguy.comafter 2s
How DNS Rebinding WorksBob IP: 10.1.1.2
Alice IP: 10.1.1.3
www.badguy.com: IP 10.1.1.3
DNS Rebinding Vulnerabilities
Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM.A Java applet, connects target and attacker web server.
Multiple A Records
In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL.After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
Time-Varying DNS
Standard Rebinding Vulnerabilities
DNS Rebinding Vulnerabilities
Browser pins host name to IP Address.Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec.Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/>FireFox 1.5 and 2 caches DNS entries between 60 to 120 secondsOpera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
Pinning in Current Browsers
Standard Rebinding Vulnerabilities
DNS Rebinding Vulnerabilities
Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%.Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML:
Flash Player 9
Standard Rebinding Vulnerabilities
[JBB+07]
Attacks using DNS Rebinding
Spidering the IntranetCompromising unpatched machinesAbusing internal open services
Firewall Circumvention
Committing Click FraudSending SpamDefeating IP-based AuthenticationFraming clients
IP Hijacking
Attacks
Attacks using DNS RebindingExperiment: Recruiting Browsers
DNS Rebinding was tested running a Flash Player 9 advertisement
Two machines ran during three successive nights.
The attacker ran:1. A custom authoritative DNS server2. A custom Flash player policy server3. An Apache Web server hosting the advertisement
The target ran an Apache Server to log successful attacks
Attacks using DNS RebindingExperiment: Recruiting Browsers
The attack needed no user click
The attack results:
[JBB+07]
[JBB+07]
Attacks using DNS RebindingExperiment: Recruiting Browsers
Relevant numbers about the attack:
1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other).2. The rebinding experiment ran on the 44,301(86.9%) impressionsthat reported Flash Player 9.3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses.4. The attack was less successfull on Mac Os.
Defenses Against Rebinding
Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses.Use of dnswall to enforce policy.
Enterprise
Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall.
Consumer
Fixing Firewall Circumvention
Software
E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
Defenses Against Rebinding
A policy based only if obtained for the same IP address and same host name.Requesting policy before opening sockets to any port.
Flash Player
The connect method is used to obtain a proxied socket connection to an external machine
Java
Fixing Plug-ins
Java LiveConnect
Removing multi-pin vulnerabilities by using the same cache as the browser.
Defenses Against Rebinding
Accepting only expected Host headers.
Checking Host Header
Refine origin by adding information such as the server IP address or a public key.IP Addresses: It is robust however some applications may fail such as Gmail.Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
Finer-grained Origins
Fixing Browsers (Default-Deny Sockets)
Defenses Against Rebinding
Robustness X SecurityExtending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
Smarter Pinning
Fixing Browsers (Default-Deny Sockets)
Defenses Against Rebinding
Browsers consult server-supplied policies to determine when it is safe to re-pin.
Policy-based Pinning
Common Pin Database: Sharing the same databaseCache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks.Document.domain
Pinning Pitfalls
Fixing Browsers(Default-Deny Sockets)
Defenses Against Rebinding
„Honest Machines“ do not advertise host name controlled by attackers.
Host Name Authorization
Fixing Browsers(Default-Allow Sockets)
Policy mechanism steps:1. Resolve the host name auth.ip.in-addr.arpa2. Does the host name exists?3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in-addr.arpa4. Determine if the host name is authorized
[JBB+07]
Related Work
Can be used for distributed denial of service attack
Using Browsers as Bots
Stores policy information in DNS
Sender Policy Framework
Supervisor: Gert Pfeifer
[1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer[2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt[3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System[4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing[5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same-origin.html[6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns.pinning.aspx, 2007
References
THANK YOU!
QUESTIONS?!