Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Retro attack gets new life, worries browser makers
Robert Lemos, SecurityFocus 2007-08-06

LAS VEGAS -- On a summer day seven weeks ago, a small group of software architects and network engineers descended on Stanford University, worried.

The group -- which, according to sources, included representatives from Microsoft, Mozilla, Sun Microsystems and Adobe -- had been summoned by a team of student researchers and professors at Stanford's Security Lab. The researchers had investigated reports that a critical part of browser security could be bypassed, allowing an online attacker to connect to browser-accessible resources on a victim's local network. While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford -- known as domain-name service (DNS) rebinding -- could send and receive data from the local network, completely bypassing the firewall.

To prove the danger, the Stanford students bought placement for a Flash advertisement on a marketing network and found that, for less than $100, an attacker could have hijacked as many as 100,0000 Internet addresses in three days.

"This turns out to be several orders of magnitude cheaper than renting a bot net," Collin Jackson, a PhD student in computer science at Stanford and a member of the Security Lab, said during an interview at the Black Hat Security Briefings.

The issue, which had been discussed only among experts in the area of browser security, came to prominence this week in Las Vegas. Two security experts -- David Byrne, security architect with EchoStar Satellite, and Dan Kaminsky, director of penetration testing at IOActive -- gave separate presentations on the subject at the Black Hat Security Briefings and then repeated their talks at the DEFCON hacking conference. Their warning: Corporate firewalls and virtual private networks (VPNs) could easily be penetrated using this technique, and any permanent fix will take time.

"If you came to my (hypothetical) Web site, I get to use -- not something like a VPN -- but your VPN into your network," Kaminsky told SecurityFocus after his presentation. "You come to my Web site and it lets me misuse your Web browser like a VPN concentrator."

The attack exploits a flaw in how security in the browser and key browser elements -- such as Flash and Java -- are implemented. At the heart of the problem is the security concept of Same Origin Policy, which restricts -- through sandboxing -- JavaScript from one domain from running in the context, or having access to the resources, of another domain.

The policy, while simple in concept, turns out to be difficult to implement correctly, said EchoStar's Byrne during his presentation.

"The same origin policy is a good idea ... but it is also terribly broken in most implementations," Byrne said.

Story continued on Page 2 

    Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus