Security Now 260
Topic: DNS Rebinding
Recorded: August 4, 2010
Published: August 5, 2010
Security Now 260: DNS Rebinding
News & Errata
15:48 - 23:07
- Microsoft have released a out of cycle patch for the .lnk vulnerability
23:08 - 29:11
- The supposed WPA hack is now being criticized within the security community as a publicity stunt
- The idea was if you're a client associated with a WPA-protected access point, then the groupwise temporary key which all clients of a single access point share, in order for them to do things like broadcast to each other, that allows you to essentially do an ARP spoofing, that's all this turned out to be was ARP spoofing, in order to intercept someone else's traffic.
- The problem is that traffic is still encrypted with their private key.
29:12 - 34:12
- Theres a mistake that's been found in Apple's PDF rendering engine, when it's rendering Type 1C fonts in PDF files
- This is being exploited to allow anyone to easily jailbreak their iPhone / iPad
34:13 - 41:06
- Theres a Android app called Jackeey Wallpaper, from a Chinese site called IMNet which claims to give you a collection of images for use as wallpaper
- However it was discovered that this app was in the background, collecting phone numbers, SIM card numbers, text messages, subscriber IDs, and voicemail passwords.
- The captured data was sent to www.imnet.us, whose registration indicates an address in Shenzhen, Guangdong, China
41:07 - 41:54
- the U.K.'s Information Commissioner's Office, the ICO, formally concluded that Google "did not collect meaningful personal details."
41:55 - 43:33
- However the UK government have formally said that they're going to continue using IE6, against mounting pressure to get with a better browser, even 7 or 8 under IE, or maybe Firefox.
- The bad news is they made the mistake many years ago of commissioning the creation of a large body of custom, government-driving software which only runs on IE6.
43:34 - 48:45
- As of October 11th the government of the UAE are going to shut down BlackBerry service within the UAE because they're unable to determine what people are texting and sending back and forth to each other
48:46 - 54:22
- An interesting concept called "Blitzableiter" was presented at BlackHat
- It's an interesting approach for making Flash secure
- The concept is that it's sort of an intermediary which reads a Flash movie and parses the file into a meta language, and then builds that back into a Flash file.
54:23 - 58:04
- Steve likes the "iLuv anti-glare film" for reducing glare on his iPad
- Amazon sells it as does i-Luv.com
58:05 - 59:36 Greg Scheeler (Unknown)
Spinrite fixed a broken computer
01:02:10 - 01:27:48
- First we need to talk about what's called "same-origin policy"
- What they wanted to prevent was it doing anything to other websites on behalf of the user
- So they said, well, let's let the script only deal with the same site, that is, the site that it came from is the only server domain name that it's able to access. And so this notion of same-origin policy
- The problem is that DNS creates a relatively weak link or a weak binding between the domain name and the IP
- So it's been understood, though, that there are some problems created with this.
- And this has also been known since about 14 years.
- It was in 1996 that the first DNS rebinding attack was first seen.
- So what happened that got this into the news just recently is that another new vulnerability was discovered in routers that hadn't been suspected before, which was, okay, now get this.
- The router will obey connections aimed at its WAN IP from the LAN.
- The way the new attack works is:
- The idea would be you browse to a malicious site.
- You don't need to press any buttons, click any links, do anything. You just download a page from the site.
- Or what's even more disturbing, a web ad is served by a malicious site.
- So the idea is, when your browser asked for the IP address of attacker.com, it received a valid IP address the first time it asked.
- Then, in running the script, the script says, oh, I need something else from attacker.com.
- So what happens is your computer makes another request for the IP address of attacker.com.
- The reason it does that is that your browser has its own DNS cache, but plug-ins like Flash have their own.
- So even though your browser knew the IP address of attacker.com, Flash, the Flash plug-in, technically the term is they have separate DNS name spaces. * So the Flash plug-in, or Java, or Silverlight or whatever, they're not privy to, for example, Firefox's DNS cache or even your system's DNS cache.
- They've got their own. So they'll make a request.
- When that second request is made, instead of returning the IP address of the site, it returns an IP address that is probably your router's gateway, like 192.168.0.1.
- So now what happens is this same-origin policy we were talking about, which prevents a script from having access to different domains, now what it has is it says it asked for attacker.com, which it's just been told is 192.168.0.1.
- But attacker.com is where the script came from because that's where the browser originally loaded it from.
- Which means that the script came from attacker.com.
- Now this Flash plug-in believes that attacker.com is your gateway, is your router.
- Which means it has full permission within the same-origin policy to do anything it wants.
- And so it's able to establish a web browser session, a web connection to your router, login without you knowing it, assuming that you didn't change your username and password.
- It can typically identify the brand, make, and model of your router from the greeting page, the login page that tells it what kind of router you have, make and model.
- It then looks up in its own little dictionary the default username and password.
- And more often than not, about half the time it's able to log on.
- Now, some browsers and plug-ins protect against this because this has been known for a long time.
- It blocks any DNS query which returns a local IP
- So this problem was believed to have gone away
- It turns out it crept back in, in a different form.
- And that's what this hacker revealed last weekend at Black Hat, which is, not only can you browse to your router's web browser using the private gateway IP, 192.168 dot whatever dot whatever, or whatever it is; you can, believe it or not, also get there using its public IP, that is, the WAN IP, the public IP of the browser, even if it has been disabled, even if you've specifically configured your router not to allow WAN-side access.
- The way the stacks are written in the DD-WRT and OpenWrt browsers, these aftermarket firmwares, and some of the standard manufacture firmware, will still allow the browser to respond from inside the network, if you use the IP from outside the network.
- NoScript v2.0 blocks this new type of attack
- Post Maker's Faire
- Ad Times: 01:02-01:21 and 12:19-15:42
Go To Assist
- G2AX #7
- Ad Times: 00:45-01:01 and 59:41-01:02:08
- Edited by: Erik
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|