Protecting Browsers from DNS Rebinding AttacksProtecting Browsers from DNS Rebinding Attacks

Collin Jackson, Adam Barth, Andrew Bortz Collin Jackson, Adam Barth, Andrew Bortz

ACM CCS 2007ACM CCS 2007

2008. 11. 13.2008. 11. 13.Systems Modeling & Simulation Lab.Systems Modeling & Simulation Lab.

Kim Jeong HoonKim Jeong Hoon

2 of 15

OutlineOutline

1. Introduction1. Introduction

2. Network access in the browsers2. Network access in the browsers

3. DNS rebinding vulnerabilities3. DNS rebinding vulnerabilities

4. Attacks using DNS rebinding4. Attacks using DNS rebinding

5. Defense against rebinding5. Defense against rebinding

6. Conclusion6. Conclusion

3 of 15

Introduction (1)Introduction (1)

DNS rebinding attack DNS rebinding attack Exploit DNS rebinding vulnerabilityExploit DNS rebinding vulnerability

Subert the same-origin policy of browsers Subert the same-origin policy of browsers Exploit the interaction between browsers and their plug-insExploit the interaction between browsers and their plug-ins Circumvent firewallsCircumvent firewalls Sending spam e-mailSending spam e-mail Defrauding pay-per-click advertisersDefrauding pay-per-click advertisers

Two servers belong to the same origin Two servers belong to the same origin Share a host nameShare a host name

4 of 15

Network Access in the browsersNetwork Access in the browsers

Same-origin policy Same-origin policy Provides partial resource isolation by restricting access according to Provides partial resource isolation by restricting access according to

originorigin

Access within same origin Access within same origin Both content and browser scripts can read and write using the HTTP Both content and browser scripts can read and write using the HTTP

protocolprotocol Plug-ins can access network sockets directlyPlug-ins can access network sockets directly

Access between different origins Access between different origins Content from one origin can make HTTP requests to servers in Content from one origin can make HTTP requests to servers in

another originanother origin

Prohibited access Prohibited access Some types of network access are prohibited even within the same Some types of network access are prohibited even within the same

originorigin

5 of 15

DNS Rebinding vulnerabilities(1)DNS Rebinding vulnerabilities(1)

Standard rebinding vulnerabilities Standard rebinding vulnerabilities Single browser to connect to multiple IP with the same host nameSingle browser to connect to multiple IP with the same host name Multiple A recordsMultiple A records

Indicating the IP addresses of the hostIndicating the IP addresses of the host Confuse the security policy of the JVMConfuse the security policy of the JVM

Time-Varying DNSTime-Varying DNS

The origin attack on Java was extendedThe origin attack on Java was extended

Pinning in current BrowsersPinning in current Browsers

Browsers defend against the standard rebinding attack by “pinning” host Browsers defend against the standard rebinding attack by “pinning” host

names to IPnames to IP

Flash 9Flash 9

The Flash plug-in permits the socket connections to the targetThe Flash plug-in permits the socket connections to the target

6 of 15

DNS Rebinding vulnerabilities(2)DNS Rebinding vulnerabilities(2)

Multi-Pin Vulnerability Multi-Pin Vulnerability Multiple technologies maintain separate DNS pinMultiple technologies maintain separate DNS pin Java : JVM maintains DNS pins separately from the browserJava : JVM maintains DNS pins separately from the browser

LiveConnect LiveConnect Browser pins to the attack’s IPBrowser pins to the attack’s IP JVM pins to the target’s IP JVM pins to the target’s IP

Applets with proxies Applets with proxies Client uses an HTTP proxy : JVM requests the applet by host nameClient uses an HTTP proxy : JVM requests the applet by host name Another DNS resolver involved the proxy : pins to the target’s IP Another DNS resolver involved the proxy : pins to the target’s IP

Relative paths Relative paths If a server hosts an HTML page that embeds an applet using relative pathIf a server hosts an HTML page that embeds an applet using relative path

FlashFlash When the attacker’s movie attempts to open a socket, When the attacker’s movie attempts to open a socket,

Flash does a second DNS resolution and would pin to the target’s IP Flash does a second DNS resolution and would pin to the target’s IP

7 of 15

Attacks using DNS rebinding (1)Attacks using DNS rebinding (1)

Firewall circumvention Firewall circumvention To access machines behind firewalls that the attacker cannot access To access machines behind firewalls that the attacker cannot access

directlydirectly Spidering the IntranetSpidering the Intranet

Intranet host names are often guessable and occasionally disclosed publiclyIntranet host names are often guessable and occasionally disclosed publicly If the server responds with an HTML page, the attacker can follow links and If the server responds with an HTML page, the attacker can follow links and

search forms on that pagesearch forms on that page

Compromising unpatched machinesCompromising unpatched machines

Network administrators often do not patch internal machinesNetwork administrators often do not patch internal machines The attacks against the client itself originate from localhost and so bypass The attacks against the client itself originate from localhost and so bypass

software firewalls and other security checkssoftware firewalls and other security checks

Abusing Internal Open ServicesAbusing Internal Open Services

Network printers often accept print jobs from internal machines without Network printers often accept print jobs from internal machines without additional authenicationadditional authenication

The attacker can use direct socket access to command network printers to The attacker can use direct socket access to command network printers to exhaust their toner and paper suppliesexhaust their toner and paper supplies

8 of 15

Attacks using DNS rebinding (2)Attacks using DNS rebinding (2)

IP HijackingIP Hijacking To access publicly available servers from the client’s IPTo access publicly available servers from the client’s IP Committing Click FraudCommitting Click Fraud

Advertisers can drain competitor’s bugets by clicking on their Advertisers can drain competitor’s bugets by clicking on their advertisements.advertisements.

Fraudulent pulishers can increase their advertising revenue by generating Fraudulent pulishers can increase their advertising revenue by generating fake clicksfake clicks Sending SpamSending Spam

By hijacking a client’s IP, an attacker can send spam from IP with clean By hijacking a client’s IP, an attacker can send spam from IP with clean reputations (SMTP servers)reputations (SMTP servers)

Defeating IP-based AuthenicationDefeating IP-based Authenication

After hijacking an authorized IP address, the attacker can access the service,After hijacking an authorized IP address, the attacker can access the service, defeating the authenication mechanismdefeating the authenication mechanism

Framing ClientsFraming Clients

An attacker who hijacks an IP can perform misdeeds and frame the clientAn attacker who hijacks an IP can perform misdeeds and frame the client

9 of 15

ExperimentExperiment

Methodology Methodology Tested DNS rebinding by running Tested DNS rebinding by running

a Flash 9 advertisementa Flash 9 advertisement Two machines : attacker, targetTwo machines : attacker, target

Attacker : DNS, Flash policy, Apache web serverAttacker : DNS, Flash policy, Apache web server Target : Apache web serverTarget : Apache web server

Required only that the client view the adRequired only that the client view the ad

Results Results Received 50,951 impressions from Received 50,951 impressions from

44,924 unique IP addresses44,924 unique IP addresses Ran the rebinding experiment Ran the rebinding experiment

on the 44,301 impressions (86.9%)on the 44,301 impressions (86.9%) Successful on 30,636(60.1%) Successful on 30,636(60.1%)

impressions and 27,480 unique IPimpressions and 27,480 unique IP

10 of 15

Defense against rebinding (1)Defense against rebinding (1)

Fixing Firewall Circumvention Fixing Firewall Circumvention By filtering packets at the firewall or by modifying the DNS resolvers By filtering packets at the firewall or by modifying the DNS resolvers

used by clients on the networkused by clients on the network EnterpriseEnterprise

A firewall administrator for an organization can force all internal machines A firewall administrator for an organization can force all internal machines to use a DNS server that is configured not to resolve external names to to use a DNS server that is configured not to resolve external names to internal IP. (300 line C program, internal IP. (300 line C program, dnswalldnswall)) ConsumerConsumer

Many consumer firewalls can be augmented with dnswall to block DNS Many consumer firewalls can be augmented with dnswall to block DNS responses that contain private IPresponses that contain private IP

SoftwareSoftware Software firewalls can prevent their own circumvention by blocking DNS Software firewalls can prevent their own circumvention by blocking DNS

resolutions to 127.*.*.*resolutions to 127.*.*.*

11 of 15

Defense against rebinding (2)Defense against rebinding (2)

Fixing Plug-ins Fixing Plug-ins FlashFlash

Flash could fix most of its rebinding vulnerabilities by considering a policyFlash could fix most of its rebinding vulnerabilities by considering a policy valid for a socket connection only if it obtained the policy from the same IPvalid for a socket connection only if it obtained the policy from the same IP addressaddress and from the same host nameand from the same host name

JavaJava A safer approach is to use the CONNECT method, which provides a proxied A safer approach is to use the CONNECT method, which provides a proxied

socket connection to an external machine socket connection to an external machine

Java LiveConnectJava LiveConnect If the browser implements pinning, LiveConnect and the browser will use a If the browser implements pinning, LiveConnect and the browser will use a

common pin database, removing multi-pin vulnerabilities common pin database, removing multi-pin vulnerabilities

12 of 15

Defense against rebinding (3)Defense against rebinding (3)

Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Checking Host HeaderChecking Host Header

User agents include a Host Header in HTTP requestsUser agents include a Host Header in HTTP requests Reject incoming HTTP requests with unexpected Host headers Reject incoming HTTP requests with unexpected Host headers

Finer-grained OriginsFiner-grained Origins RefineRefine origins to include additional information (server’s IP, public key)origins to include additional information (server’s IP, public key) When the attacker rebinds When the attacker rebinds attack.comattack.com to the target, the browser will consider to the target, the browser will consider

the rebound host name to be a new originthe rebound host name to be a new origin

Smarter PinningSmarter Pinning If a host name resolved to 171.64.78.10, the client would also accept any IP If a host name resolved to 171.64.78.10, the client would also accept any IP

beginning with 171.64.78 for that host name beginning with 171.64.78 for that host name

13 of 15

Defense against rebinding (4)Defense against rebinding (4)

Fixing Browser (Default-Deny Sockets) Fixing Browser (Default-Deny Sockets) Policy-based PinningPolicy-based Pinning

Browsers consult server-supplied policies to determine when it is safe to re-Browsers consult server-supplied policies to determine when it is safe to re- pin a host name from one IP to another, providing robustness without pin a host name from one IP to another, providing robustness without degrading security degrading security

Pinning PitfallsPinning Pitfalls Common Pin Database Common Pin Database

Cache : objects in the cache must be retrieved by both URL and originatingCache : objects in the cache must be retrieved by both URL and originating IPIP

document.domain = document.domain;document.domain = document.domain;

Browser vendors appear reluctant to expose such an interface and pinning in Browser vendors appear reluctant to expose such an interface and pinning in the OS either changes the semantics of DNS for other applicationthe OS either changes the semantics of DNS for other application

14 of 15

Defense against rebinding (5)Defense against rebinding (5)

Fixing Browser (Default-Allow Sockets) Fixing Browser (Default-Allow Sockets) Host Name AuthorizationHost Name Authorization

Trusted Policy ProvidersTrusted Policy Providers Clients and DNS resolvers can also check policy by querying a trusted policy Clients and DNS resolvers can also check policy by querying a trusted policy

providerprovider Trusted policy providers can greatly reduce the false positive rateTrusted policy providers can greatly reduce the false positive rate

For host names with multiple IP addresses, only authrized IP should beFor host names with multiple IP addresses, only authrized IP should be included in the resultincluded in the result ex) *.auth.ip.in-addr.arpa ex) *.auth.ip.in-addr.arpa

15 of 15

ConclusionConclusion

An Attacker can exploit DNS rebinding vulnerabilities An Attacker can exploit DNS rebinding vulnerabilities Circumvent firewal Circumvent firewal Hijack IP addressesHijack IP addresses

Policy-based pinning Policy-based pinning Host name autherizationHost name autherization

Propose two defense options Propose two defense options

Deploy these defenses quickly before attackers exploit DNS rebinding on Deploy these defenses quickly before attackers exploit DNS rebinding on a large scale a large scale

Vendors and network administrators Vendors and network administrators