http://directwebremoting.org/blog/mark/tags/dns/ Security, information, miscellanea en Mark Goodwin Thu, 16 Aug 2007 22:02:00 GMT Pebble (http://pebble.sourceforge.net) http://backend.userland.com/rss http://directwebremoting.org/blog/mark/2007/07/19/does_firefox_implement_dns_pinning.html <p> I've been playing around with DNS pinning over the past few weeks; mainly on how the presence of proxies affects the story, which Rsnake and Portswigger <a href="http://ha.ckers.org/blog/20070710/dns-pinning-affects-proxies-too/">beat me to</a> (nice work guys), but also on various other bits. </p> <p> Something that's caught my attention, especially following <a href="http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx">David Ross' comments</a> on how IE does not actively implement DNS Pinning, is that the Firefox's DNS Pinning behaviour (if it does it at all) is rather interesting: </p> <p> It seems that all you have to do to make Firefox rebind is wait a minute or two. The normal explanation of how the attack needs to work is as follows: </p> <ol> <li><i>Client</i> is fooled to request a page from <i>attacker</i>, <i>client</i>'s resolver looks up <i>attacker</i> and is told that <i>attacker</i> is at yyy.yyy.yyy.yyy.</li> <li><i>Client</i> requests a page from <i>attacker</i> (at yyy.yyy.yyy.yyy) and is returned a page containing a script which tells <i>client</i> to come back later</li> <li>Once this is served, <i>attacker</i> changes its DNS so the RR for <i>attacker</i> now points to zzz.zzz.zzz.zzz. <i>Attacker</i> also firewalls off its webserver.</li> <li>When <i>client</i> comes back to refresh the page (or whatever the script told it to do) it discovers the server is down and rebinds DNS</li> <li><i>Client</i> then connects to what it thinks is <i>attacker</i> but which is actually the machine at zzz.zzz.zzz.zzz</li> <li>The script served to <i>client</i> by <i>attacker</i> can now read content from zzz.zzz.zzz.zzz and pass it on however the attacker wishes</li> </ol> <p> It seems that with the Firefox behaviour, <i>attacker</i> no longer needs to carry out the firewalling step; it simply needs to serve a script which is told to wait for something between 80 seconds and 2 minutes. The amount of time seems to change; I suspect the browser has a resolver cache which is cleared periodically but I've not really looked to find out whether this is the case. </p> <p> This has some interesting implications: <ul> <li>If you don't need to firewall off the webserver, it's much easier to make use of more than a single host; many targets of this type of attack will sit NATed behind a firewall, and even selective firewalling would block other potentially useful client machines</li> <li> The <a href="http://seclists.org/fulldisclosure/2007/Jul/0159.html">original 'Princeton' attack</a> on applets (and presumably various browser plugins) can perhaps still be made to work without relying on a proxy just by timing things right. </li> </ul> </p> <p> I'm sure the rabbit hole goes much deeper than this. Let's see what happens. </p> <p> <b>Update:</b> In my tests I'm sending responses to the original request to <i>attacker</i> with <code>Connection: close</code>; maybe this is affecting the behaviour? </p> <p> <b>Update 2:</b> Having tested my theory on applet attacks; I think this is not possible. </p> http://directwebremoting.org/blog/mark/2007/07/19/does_firefox_implement_dns_pinning.html#comments http://directwebremoting.org/blog/mark/2007/07/19/does_firefox_implement_dns_pinning.html Thu, 19 Jul 2007 18:27:00 GMT