Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Rebinding attacks unbound
Federico Biancuzzi, 2007-10-17

DNS rebinding was discovered in 1996 and affected the Java Virtual Machine (VM). Recently a group of researchers at Stanford found out that this vulnerability is still present in browsers and that the common solution, known as DNS pinning, is not effective anymore. In August, SecurityFocus covered the resurgence of interest in the attacks at the Black Hat Security briefings in Los Vegas.

Federico Biancuzzi tracked down one of the authors of the study, Adam Barth, to learn about the impact of the problem, which workarounds can be deployed right now, and how to protect browsers from DNS rebinding attacks in the long run.

SecurityFocus: Could you introduce yourself?

Adam Barth: I'm a Ph.D. student at Stanford University and a member of the Stanford Web Security Lab. Collin Jackson, Andrew Bortz, Weidong Shao, Dan Boneh, and I are presenting a paper at the 2007 ACM Conference on Computer and Communications Security, detailing how to protect browsers from DNS rebinding attacks.

What is DNS rebinding?

DNS rebinding is a vulnerability in Web browsers and their plug-ins that can be exploited to circumvent firewalls or to temporarily hijack a client's IP address, effectively converting browsers into open network proxies. Users rely on their Web browsers to isolate sites they visit using the same origin policy: one site should be able to read and write data only from itself. DNS rebinding vulnerabilities permit an attacker to confuse a Web browser into aggregating a target server into his or her origin, allowing the attacker to communicate with that server through the browser.

These attacks work because browsers and plug-ins use DNS host names to distinguish between different origins, but browsers don't actually communicate with the hosts by name: they must first use DNS to resolve the host name to an IP address and then communicate with the host by its IP address. Consider a host name, such as attacker.com, that is first bound to the attacker's Web server. The attacker can load JavaScript, Flash, or other active content into the attacker.com origin in the browser. If the attacker then rebinds attacker.com to point to the target's Web server, that active content can now read and write on sockets to the target server.

What type of attacks can it be used for?

These vulnerabilities can be used for two types of attacks.

First, DNS rebinding can be exploited to circumvent firewalls. If a user inside a corporate network views malicious content (delivered, for example, as an advertisement on a reputable Web site) the attacker can open network connections to any machine behind the corporation's firewall, through the browser. Using these connections, the attacker can ex-filtrate confidential documents, exploit unpatched vulnerabilities in network services, or otherwise abuse network services relying on the firewall for protection.

Second, DNS rebinding can be exploited to temporarily hijack a user's IP address to send spam email or defraud pay-per-click advertisers. Filtering spam relies heavily on black-listing IP addresses known to send spam. Using DNS rebinding, an attacker can send spam from the IP address of every client viewing his or her malicious content, avoiding these black lists. Similarly, the pay-per-click advertising schemes used by most advertising networks rely on filtering fake clicks by examining the patterns of clicks by each IP address. Using DNS rebinding, the attacker can launder his or her clicks through hundreds of thousands of unsuspecting Web browsers.

These attacks are extremely cost effective, because the attacker needs only for the client to display his or her malicious content. Advertising networks sell impressions for tens of cents per thousand. We ran an experiment where we ran a Flash advertisement containing a DNS rebinding attack (against ourselves) on an advertising network and were able to hijack 30,000 unique IP address for $30, an order of magnitude cheaper than building a traditional bot network.

Story continued on Page 2 

Federico Biancuzzi is freelancer; in addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.
    Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus