The Good, the Bad,

By Lisa Vaas  |  Posted 2007-08-07 Print this article Print

the Net Neutrality Detector">LAS VEGAS—A creaky old DNS rebinding design flaw has been dragged out of the Internets attic, had the dust blown off and shown to be freshly poisonous. As Dan Kaminsky, IOActives director of penetration testing showed at the Black Hat conference Aug. 1, all he needs to bypass firewalls, penetrate VPNs and remotely cherrypick any resource available on a vulnerable system is to bounce off a lured Web browser.
DNS rebinding is an exploit that dates back to 1996, from research done at Princeton University.
Heres how Kaminsky explained the attack, which depends on the fundamental workings of the client side of the Internet: Web pages are pulled together in the browser from pieces that can come from all over the place. One page can even be embedded inside another page—thats called an "iframe." The thing is, if someone embedded a Hotmail page into another page, does that mean whoevers viewing the shell page is logged in to the embedded page? Would that person be able to read the Hotmail messages? In theory, no, due to SOP (same origin policy), a security measure for client-side scripting (mostly JavaScript). SOP says you can look, but you cant touch. A Web page can embed Hotmail, but it cant peek inside and read somebody elses mail. That policy is meant to provide security and privacy, but its also a basic flaw in the architecture of browsers. Say that has an iframe to, meaning that it can look inside itself. If has an iframe to, it can display to the user, but it cant peek inside and see what the user sees. SOP dictates that if two things come from the same place, they must be trusted at the same level. And coming from the same place means you have the same domain name, right? No. Names dont host anything, Kaminsky said—thats the job of an IP address. DNS is used to translate between a name we trust and an IP address we communicate with. =, and = The assumption is that these name translations dont change. However, in reality, both and can return any IP address, at any time, whether they control that IP address or not. Hence, can return foo.coms IP address. It could point to a server in Europe, say, and then switch in the next moment to point to a printer down the hall. Now suppose your browser loaded a page from each address, Kaminsky said. The content from both the European server and the printer down the hall would be seen as coming from According to SOP, the server in Europe can do whatever it wants to your printer, given that theyre coming from the same place, at least theoretically. The server cant get past a corporate firewall, but it doesnt need to, Kaminsky said. It will just use the browser to do its dirty work, instructing the browser what to do, and the browser will report back detailing whatever your printer is up to. Whats the cost of cybercrime? Click here to read more. Its an attack that takes advantage not of a bug but rather the intended design of the Web, Kaminsky said. The browser cant tell external IP from internal IP if both are coming from because its not supposed to. "Major Web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another," he said. Detecting that theres a cross-IP scripting action occurring is a start to addressing these types of attacks, but what to do after that is what people are trying to figure out, he said. And heres where the fun really starts: with bypassing the firewall. Most corporate networks differentiate between external and internal network: Internal resources can route out, and the network is shielded from external resources trying to route in. But by bouncing off a lured browser, an attacker on the outside can access resources on the inside, Kaminsky said. And by "resources," he means anything your machine can access: files, database ports, Web services, you name it. Getting around a firewall sounds exotic to a U.S. audience, Kaminsky said in an interview with eWEEK, but were in the minority. Censorships a problem on the Web in many if not most countries outside the United States. In China, for example, the average knowledge of a child regarding how to set up a proxy and how to bypass filters and firewalls ranks at what Kaminsky considers to be master level. "There are countries where the average user knows how to get around the firewall," he said. An associated attack, XSRF (cross-site request forgery), has been used in the wild recently. One incident was during the time of the Super Bowl attack. Two days before Super Bowl XLI, a malicious image was placed on the official Super Bowl site. More than 1 million desktops were compromised overnight. In addition, Bonehs team at Stanford has tested a Flash applet placed on an ad network and distributed across many Web sites. It acquired partial network connectivity to client LANs and exposed 100,000 networks. This is not the type of security vulnerability story that has a section that says "and to fix this bug, so-and-so vendor has supplied patches that you can get at such-and-such site." No, this is the type of vulnerability that is so fundamental to the machinery of the Web that Kaminsky, when asked what to do about DNS rebinding, said we basically have to stop and look at what our model is for private information. "Everyone needs to realize that we have a tremendous gap in how the Web works," he said. "People are trying to put a lot of private information on there. DNS rebinding, cross-site scripting, cross-site request forgery, these bugs are pernicious, and theyre not going away." In fact, what we will need at some point is a reimagining of how security works on the Web, Kaminsky said. "I didnt come up with these rebinding attacks. Theyve been floating around since 1996. Theyve been talked about since 2006. Im trying to get people to realize these bugs are exposing their corporate networks and threatening to cause them to [lose the ability to know who theyre dealing with online]. … People should not be able to borrow your Net connection just because you browsed to their page. They shouldnt be able to attack your network IP for whatever weird thing," he said. "Or we can stop using these things for any private reasons. And these bugs are threatening commerce on the Internet. I want to protect commerce on the Internet." But of at least equal interest to Kaminsky is that this DNS rebinding attack can be used to test Net neutrality. Page 2: The Good, the Bad, the Net Neutrality Detector

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel