The Good, the Bad,
the Net Neutrality Detector”>
LAS VEGAS—A creaky old DNS rebinding design flaw has been dragged out of the Internets attic, had the dust blown off and shown to be freshly poisonous.
As Dan Kaminsky, IOActives director of penetration testing showed at the Black Hat conference Aug. 1, all he needs to bypass firewalls, penetrate VPNs and remotely cherrypick any resource available on a vulnerable system is to bounce off a lured Web browser.
DNS rebinding is an exploit that dates back to 1996, from research done at Princeton University.
Heres how Kaminsky explained the attack, which depends on the fundamental workings of the client side of the Internet: Web pages are pulled together in the browser from pieces that can come from all over the place. One page can even be embedded inside another page—thats called an “iframe.” The thing is, if someone embedded a Hotmail page into another page, does that mean whoevers viewing the shell page is logged in to the embedded page? Would that person be able to read the Hotmail messages?
In theory, no, due to SOP (same origin policy), a security measure for client-side scripting (mostly JavaScript). SOP says you can look, but you cant touch. A Web page can embed Hotmail, but it cant peek inside and read somebody elses mail.
That policy is meant to provide security and privacy, but its also a basic flaw in the architecture of browsers. Say that foo.com has an iframe to foo.com, meaning that it can look inside itself. If foo.com has an iframe to bar.com, it can display bar.com to the user, but it cant peek inside and see what the user sees. SOP dictates that if two things come from the same place, they must be trusted at the same level.
And coming from the same place means you have the same domain name, right? No. Names dont host anything, Kaminsky said—thats the job of an IP address. DNS is used to translate between a name we trust and an IP address we communicate with. Foo.com = 1.2.3.4, and Bar.com = 3.4.5.6. The assumption is that these name translations dont change.
However, in reality, both foo.com and bar.com can return any IP address, at any time, whether they control that IP address or not. Hence, bar.com can return foo.coms IP address. It could point to a server in Europe, say, and then switch in the next moment to point to a printer down the hall.
Now suppose your browser loaded a page from each address, Kaminsky said. The content from both the European server and the printer down the hall would be seen as coming from bar.com. According to SOP, the server in Europe can do whatever it wants to your printer, given that theyre coming from the same place, at least theoretically.
The server cant get past a corporate firewall, but it doesnt need to, Kaminsky said. It will just use the browser to do its dirty work, instructing the browser what to do, and the browser will report back detailing whatever your printer is up to.
Whats the cost of cybercrime? Click here to read more.
Its an attack that takes advantage not of a bug but rather the intended design of the Web, Kaminsky said. The browser cant tell external IP from internal IP if both are coming from bar.com because its not supposed to. “Major Web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another,” he said.
Detecting that theres a cross-IP scripting action occurring is a start to addressing these types of attacks, but what to do after that is what people are trying to figure out, he said.
And heres where the fun really starts: with bypassing the firewall. Most corporate networks differentiate between external and internal network: Internal resources can route out, and the network is shielded from external resources trying to route in.
But by bouncing off a lured browser, an attacker on the outside can access resources on the inside, Kaminsky said. And by “resources,” he means anything your machine can access: files, database ports, Web services, you name it.
Getting around a firewall sounds exotic to a U.S. audience, Kaminsky said in an interview with eWEEK, but were in the minority. Censorships a problem on the Web in many if not most countries outside the United States. In China, for example, the average knowledge of a child regarding how to set up a proxy and how to bypass filters and firewalls ranks at what Kaminsky considers to be master level. “There are countries where the average user knows how to get around the firewall,” he said.
An associated attack, XSRF (cross-site request forgery), has been used in the wild recently. One incident was during the time of the Super Bowl attack. Two days before Super Bowl XLI, a malicious image was placed on the official Super Bowl site. More than 1 million desktops were compromised overnight.
In addition, Bonehs team at Stanford has tested a Flash applet placed on an ad network and distributed across many Web sites. It acquired partial network connectivity to client LANs and exposed 100,000 networks.
This is not the type of security vulnerability story that has a section that says “and to fix this bug, so-and-so vendor has supplied patches that you can get at such-and-such site.” No, this is the type of vulnerability that is so fundamental to the machinery of the Web that Kaminsky, when asked what to do about DNS rebinding, said we basically have to stop and look at what our model is for private information.
“Everyone needs to realize that we have a tremendous gap in how the Web works,” he said. “People are trying to put a lot of private information on there. DNS rebinding, cross-site scripting, cross-site request forgery, these bugs are pernicious, and theyre not going away.”
In fact, what we will need at some point is a reimagining of how security works on the Web, Kaminsky said. “I didnt come up with these rebinding attacks. Theyve been floating around since 1996. Theyve been talked about since 2006. Im trying to get people to realize these bugs are exposing their corporate networks and threatening to cause them to [lose the ability to know who theyre dealing with online]. … People should not be able to borrow your Net connection just because you browsed to their page. They shouldnt be able to attack your network IP for whatever weird thing,” he said. “Or we can stop using these things for any private reasons. And these bugs are threatening commerce on the Internet. I want to protect commerce on the Internet.”
But of at least equal interest to Kaminsky is that this DNS rebinding attack can be used to test Net neutrality.
Page 2: The Good, the Bad, the Net Neutrality Detector
The Good, the Bad,
the Net Neutrality Detector”>
Net neutrality in a nutshell: Some advocates have warned that broadband providers will use their control over the “last mile” to discriminate between content providers, particularly competitors. Net neutrality advocates also predict that telecom companies will seek to impose a tiered service model as a means of profiting from their control over the pipeline as opposed to demand for particular content or services.
Some say that providers are already practicing hostility toward Net neutrality. Kaminsky wants those providers to know that people now can detect what theyre up to. This is something he stumbled upon when dissecting browser behavior for the DNS binding design flaw.
“Now that Im understanding what we can make a browser do, we can make very controlled HTTP requests with a browser,” he said.
Normally, a browser makes a request thats structured, standardized and doesnt have much flexibility. Plug-in technologies such as Flash, however, are providing people with arbitrary TCP sockets. Theyre blank, Kaminsky said. HTCP—TCP with headers that describe whats going on—means people can put on any headers they want, or leave out whatever they want.
This flexibility is very interesting, Kaminsky said, in its ability to detect what he called provider hostility—i.e., if a service provider is stuttering, or serving up a given resource at stumble rates, intentionally. In a nutshell, a speed test against “transparent”—easily detectable—proxies used by some consumer networks will directly yield information about hostility.
To detect hostile providers, first people need to filter out the differences. They have to download from two separate sites. Just because ones slow and ones fast doesnt mean a providers hostile, though. People need two data sets to come from the same site, with the same server, and with the only difference being that the providers network sees it as the persons site as opposed to someone elses.
Of course, people can just issue a request to wherever they want, such as, “Please send me a movie from Viacom. Also, send me a movie from YouTube.” “If it comes faster from one vs. the other, youll know the network is being hostile to the site” from which its slowly delivering the movie, Kaminsky said.
However, networks can realize people are trying to test their speed. Just for the purpose of the test, people therefore might get served everything fast.
The question Kaminsky had was, is it possible to make a hostility test thats undetectable?
Heres what he needed: To spoof sites on the Internet, to know what these sites would see, to respond as if he was those sites, and to keep those real sites from interfering with his interference.
Click here to read more about Google hiring hackers.
“I dont want them to be able to tell,” he said. “Am I able to make a system” that couldnt tell? Is it possible to build a hostility detection system that uses traffic indistinguishable from real-world traffic?
“The answer is yes,” he said. “And its totally messed up how Im doing it.”
The answer to fashioning a Net neutrality detection tool boils down to “old-school packet stuntage,” Kaminsky said.
“Say I want to pretend Im some site I want to speed test,” he said. “I dont want the test to come from me, [rather, I want it to come] from their site. Theyll download something from me [and the] entire infrastructure will think its coming from MySpace or YouTube or wherever I want.”
What would normally prevent this is an HTTP session runs over TCP. What protects random people from injecting into the stream is they dont know the stream sequence. They cant know it. Right?
“Oh, wait,” Kaminsky said. “Theres an ActiveX plugin called PacketX and its a sniffer that emits JavaScript events on each packet. A packet sniffer for your Web browser. Did you see what I did? I just wrote an entire tunneling layer in JavaScript.”
Kaminsky said he laughed for two hours when he came up with it. Hes calling it “Inspector Pakket,” like “Inspector Gadget.”
“Now I can have some fun,” he said. “What was keeping me out was not knowing sequence numbers. If I can sniff packets on the client, I can totally know the sequence numbers. So, number one, I can totally spoof the IP of YouTube or CNN or whatever when sending traffic to the client, because I know what sequence numbers to use.
“Im sending traffic to the client. The client is acknowledging my traffic, but not to me, to the server. The server would normally say, Why are you talking to me? I dont have a session open with you, go away, heres some resets, and it would be game over for me. But everyones deployed a firewall saying, You dont have a session, I dont have to talk to you. It wont talk to me, and I can just go ahead.”
Page 3: The Good, the Bad, the Net Neutrality Detector
The Good, the Bad,
the Net Neutrality Detector”>
As a man in the middle doing an impersonation, he wont see an acknowledgement. But because hes got a sniffer on the client, he can proxy over in JavaScript. Hes doing TCP acknowledgements over an Ajax tunnel, so that even though he doesnt see the acknowledgements going to the site being tested, he can see acknowledgements as theyre emitted by the client.
“And thus, I receive them,” he said. “I can do what ever I want.”
And thus, network quality degradation will no longer be able to be done silently, he said. “Dont think people wont notice,” Kaminsky said.
Kaminsky laughed while talking about his work, but hes dead serious about stopping providers from screwing up the level playing field for business online.
“A level playing field is required for the basics of business. Problem is, its hard to make money on a level playing field,” he said. “You can be a king maker. [Providers] can choose who or what other third party is going to make money, and that third party [could] be a worst solution by far, but they paid the most.”
Contrast that with a level playing field, where third parties all get access to the same level of network quality. In a level playing field, third parties duke it out until the best product wins. That model, Kaminsky said, leads to customers who are loyal, and everyone is happy. “If not, they wouldnt have used this third party,” he said. “Carriers are threatening to abandon the model thats provided a steady sequence of successful, profitable, useful companies and replace them with whoever pays the highest bribe for reasonable service.
“Provider hostility makes the Internet a place where you cant invest. You cant make long-term bets on a hostile network. As soon as you start doing well you dont know what the carrier will do.”
Kaminsky has come up with a goal: He wants to use the most obscure of his technical abilities to defend online advertising. “This is not something I thought Id ever say,” he said. “But I believe a huge amount of the vibrancy of the Internet comes from commercial enterprise. If we go to a kingmaker model, nobody will be able to safely invest and all existing models will die on the vine. It doesnt matter if you create the best system. It doesnt matter if users really like you. Because someone else will show up and pay more than you will.”
And now, thanks to Kaminskys work, there is at last a speedometer to clock how fast providers are moving to rough up that level playing field.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.