Maddin, 14. August 2006 um 17:42:44 MESZ (somewhat) breaking the same-origin policy by undermining dns-pinning A small contribution to the current “hacking the intranet with JavaScript” meme: Introduction J. Grossman, RSnake, SPI Dynamics, pdp and others have demonstrated lately that it is possible for a malicious JavaScript
a) to obtain the (internal) IP address of the hosting web browser,
b) to portscan the lan to locate intranet http servers,
c) to fingerprint these http servers using well known URLs
d) and (sometimes) to exploiting them via CSRF. During my research on that topic I discovered, that with some tweaking, it is also possible for the script to obtain read access, allowing the leakage of internal information and more precise fingerprinting. Technical background The basis of the attack is rather old. It was described by the Princeton University in 1996 [1] and was recently brought to my attention by Amit Klein [3]. For the attack to succeed the attacker needs to control the DNS entry for his web server (www.attacker.org in the following example). Attacking an intranet host located at 10.10.10.10 would roughly work like this: To prevent this type of attack, modern web browsers implement “DNS Pinning” - DNS lookup results are kept unchanged for the entire browser session, even though the DNS entry’s lifetime may be shorter. Mohammad A. Haque describes in [2] how the attack method still can work, providing that the malicious script survives in the browser cache. The described scenario requires the victim to quit his web browser and to access the malicious script a second time, which renders the attack to be somewhat unlikely. The refined attack: Undermining DNS pinning by rejecting connections As it turns out, it is also possible to force the browser to renew the DNS entry for a given domain “on the fly”. The following sequence of events worked for me (tested on IE6 xpsp2 and Firefox 1.5.0.6): Some (crude) PoC code is available at polyboy.net I successfully tested the described approach on two different computers in two different networks. Still the result is purely experimental. As I have not read the web browser’s source code, I can only guess why the attack works. For this reason it may be possible, that the attack fails on different setups. Outlook This technique obviously can be automated. Instead of quitting the web server on attacker.org completely, dynamic firewall rules could be used to reject further connections from the victim’s IP after the initial script was delivered. The attack only woks, if the attacked server does not check the http host property, as this property would still be “www.attacker.org”. For the same reasons all virtual hosts are out of the attacker’s reach. Update (12/2006): Kanatoko Anvil from jumperz.net found out that it is not necessary to shut down the web server. It is sufficient for the malicious script to access a closed port on the intranet server (e.g. attacker.org:81) to cause the web browser to initiate a new DNS query. See here for a demo. Wow. References [1] DNS Attack Scenario, www.cs.princeton.edu
[2] Josh Soref: DNS: Spoofing and Pinning, viper.haque.net
[3] Amit Klein: Re: Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript (Posting to the WebAppSec-Mailinglist), www.webappsec.org ... Link Maddin, 16. Februar 2006 um 13:44:32 MEZ Cross Domain XMLHttpRequests are really not a good idea There was more than one moment in the last month, in which I wondered about the reasons behind the same-origin restriction on the XMLHttpRequest JavaScript object’s destination URL. This restriction effectively prevents JavaScript initiated cross domain http requests. None of the other network aware elements of HTML/JavaScript are subject to such a policy (e.g. images, iframes or scripts). Finally somebody convinced me: Lucas Carlson describes in a recent Blog entry how cross domain XMLHttpRequests could be employed to subvert firewall protection. A malicious JavaScript executed by a web browser behind a firewall would be able to communicate the content of any http intranet server, which would otherwise be protected by the firewall, to any host on the internet. Such a script is furthermore able to do a complete port scan on the intranet, thus discovering services and further attack targets. What a pity, cross domain Ajax would be so much fun otherwise. ... Link Maddin, 16. November 2005 um 12:05:23 MEZ Using DNS queries to estimate backdoor propagation A backdoor that tries to phone home usually uses DNS-queries to locate the host they should report to. These DNS queries are cached by the DNS server for some time. Dan Kaminski uses this behaviour to estimate the number of PCs that are infected by Sony’s DRM rootkit(he found more than 500.000 DNS servers that received a query related to the rootkit, leading to a conservative estimate that the number of infected PCs is in the millions). The image shows the distribution of the located DNS servers in Europe (click here for larger maps: USA, Asia, Europe). The more I learn about DNS, the more I am intrigued by this often overlooked protocol. Oh - Sony’s uninstaller leaves the PC even more open to further attacks. ... Link Maddin, 6. September 2005 um 11:34:53 MESZ Windows of exposure revisited David Wheeler took the time and had a closer look on the time spans in which no unpatched exploit for a couple of popular web browsers existed. His findings where somewhat devastating, especially for IE: ... Link Maddin, 1. Juni 2005 um 11:49:53 MESZ Dude, be careful with those viruses Check out the promotional pictures posted on the F-Secure Weblog. These pictures are so over the top. All employees are wearing laboratory gowns. They even have got signs warning about free flying wireless viruses... ... Link Maddin, 25. April 2005 um 12:22:56 MESZ Studying C insecurities This is a public service announcement: A couple of colleagues and I are starting an open study group on software insecurities. Our first meeting is on Tuesday the 26th of April at 16:00. Feel free to drop by and share the fun. ... Link Maddin, 14. April 2005 um 16:00:53 MESZ Somebody is serious about security - not It always strikes me as funny (though not “haha”-funny) when a website devoted to computer security doesn’t display properly (check out the left hand navigation) in Mozilla based browsers . ... Link Maddin, 17. März 2005 um 11:19:59 MEZ What is "two-factor authentication"? Two-factor authentication is the combination of [via Slashdot comments] ... Link Maddin, 16. März 2005 um 13:44:37 MEZ The economics of the darknet When I was looking for more information about botnets I stumbled over a fun presentation on "Life, Love and War in the Underground". It is from late 2003 but I think the basic facts are still valid. According to the findings of the Author Rob Thomas there exists a livid marketplace in the IT underground. Botnets, 0days and rootshells are swapped or sold for hard currency (e.g. a new exploit sells for about $100 to $500). But to participate you have to know how to speak 1337... ... Link Maddin, 15. März 2005 um 15:52:14 MEZ Bot- and honeynets The German Honeynet Project just released a paper on the usage of honeynets to explore botnets: Know your enemy: Tracking Botnets. Besides the description of the use of honeynets to do the tracking, the paper also does a great job in providing insights to the “why” and “how” background information of botnets. Interestingly a lot of the more successful bots (Angobot, SDBot, DSNX) adopted the GPL as development model. I wonder if they have sourceforge.net project pages? ... Link |
online for 8451 Days
last updated: 09.04.14, 16:14 Youre not logged in ... Login
click:
Martin Welt martinjohns.com Tumbling Nerd Alert Blogroll doomicile foobla simonox Podroll IT Conversations The Podcast about nothing |