, SecurityFocus 2007-08-06
Story continued from Page 1
While security researchers have begun focusing on the issue in earnest, the basic research on the problem is more than a decade old.
In 1996, three researchers from Princeton found a flaw in the implementation of the Same Origin Policy in Java and the Netscape browser. A malicious Web site could register two -- or more -- addresses as valid for its domain, and if one of the addresses was actually part of the network local to the victim's browser, the act would allow the Internet site to access the local resource. A variant of the attack uses low time-to-live (TTL) settings in the DNS record to allow the attacker to update Internet addresses on the fly and reroute requests to the victim's local network.
"This attack is particularly dangerous when the browser is running behind a firewall, because the malicious applet can attack any machine behind the firewall," researchers Drew Dean, Edward Felten and Dan Wallach stated in their May 1996 paper presented at the IEEE Symposium on Security and Privacy in Oakland. "At this point, a rogue applet can exploit a whole legion of known network security problems to break into other nearby machines."
To solve the problem, Java-developer Sun Microsystems and browser vendors adopted a technique known as DNS pinning, where the software does not allow changes to the Internet address associated with a domain for a certain period of time. Pinning the domain name slowed the association of a second network address with the domain, severely restricting such attacks.
However, the domain name eventually has to expire, and vulnerability researchers have searched for ways to speed the process. Such techniques are known as anti-DNS pinning attacks, a subset of DNS rebinding attacks. Moreover, the browsers and common plug-ins, such as Adobe's Flash and Sun's Java, use separate tables of pinned domains and have different implementations and weaknesses, researchers have found.
The latest attack, outlined by Martin Johns of the University of Hamburg a year ago, forces browser software to refresh the DNS entry by making the original Web site inaccessible, using a firewall rule for example.
Both EchoStar's Byrne and IOActive's Kaminsky delved into the impact of the attack, and found that -- with a victim's browser as a proxy -- an attacker could use software usually available to any penetration tester to enumerate and attack a normally protected network.
"Once the attacker has access to the internal network, simple tools can be used to find vulnerabilities," Byrne said.