Your browser is a tcp/ip relay

I’ve been a longtime fan of fellow hacker Dan Kaminsky, best known for his work in tracking down the spread of the sony rootkit. Recently I spoke with him about his current work, and he summed it up by saying, “I can turn your web browser into an VPN concentrator.” When I stared at him in disbelief he explained that using DNS rebinding he can get the browser to connect to any IP he chooses.

The technique originates in the browser security model, based on same-origin policy. This allows a web browser, either using JavaScript or Flash, to connect back to the same host that the content came from. If the attacker changes where the hostname is pointing to, the browser can connect there. For example, the next time you connect to attacker.com, the DNS server actually serves you a 192.168.1.1 address, allowing the webapp to connect to your internal IP.

At Black Hat in his Black Ops 2007: Design Reviewing The Web talk, Dan released his slirpie tool, a framework for allowing you to tunnel traffic through a person’s web browser.

I will demonstrate an extension of RSnake and Boneh’s work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.

I have had for a while a lurking feeling that the Web 2.0 world is full of surprising attack vectors that no one has come around to exploiting. Work like this doesn’t exactly fill me with confidence that the environment is secure.

If you have ever wondered what framework a certain site uses, Dan also gives us p0wf.

But the web has become almost an entirely separate OS layer of its own, and especially with AJAX and Web 2.0, new forms of RPC and marshalling are showing up faster than anyone can identify. p0wf intends to analyze these streams and determine just which frameworks are being exposed on what sites.

I am really happy Dan is on our side.

** Update 6:03 PM PST **

Megginson Technologies has more details and how it can affect you.

** Update 6:00 PM Thursday, Augusust 2 **

Dan finally posted his slides. He also discusses breaking audo captchas and busting provider hostility, the opposite of network neutrality.

tags: , ,
  • Anonymous

    The URL to Dan Kaminsky’s site is broken, it should be: http://www.doxpara.com

  • http://500hats.typepad.com dave mcclure

    hmmm… if i didn’t know any better, i’d swear that headline was ripped off from a John Mayer tune

    ;)

  • http://larholm.com/ Thor Larholm

    The technique itself is nothing new, but the slirpie tool itself is new.

    I would love to combine slirpie with a web-based Tor interface. In short, “Add this script include to your site and your visitors automatically expand our anonymous Tor network”.

    Just think of all those spare sockets doing nothing while they are reading your latest blog entry or article :)

  • http://www.embracingchaos.com Leo Dirac

    Wouldn’t client-side DNS caching make this attack unreliable if not completely ineffective? OS’s keep DNS caches, as do many browsers.

    Once you connect to attacker.com, I don’t think there would be another DNS lookup for a while.

  • Valentino Vaschetto

    Regarding DNS caching:

    http://en.wikipedia.org/wiki/Time_to_live. Read up on “Time to live of DNS records”.

    Unless the OS and the Browser (the browser doesn’t cache dns, but I’ll entertain anyway) do not follow the standard, you can set the time to live of your DNS record to something like 5 seconds. After 5 seconds of being on the site, your dns server changes the ip to something useful (192.168.1.1?) and the website launches its attack. Absolutely brilliant.

  • Bind9 Guy

    Actually, Valentino is correct. This is all do to with something called Time-To-Live (TTL). However, what they don’t tell you is that you can’t do this to multiple people on a large scale with a 1 second TTL alone, since new visitors would just get (or most likely if you were to say alternate it) the 192.168.X.X IP.

    What you would need to use is iptables in linux for example to take each IP that connects the first time, and then redirect each subsequent DNS query to an alternate port running another view in DNS. (A view is just a way for one DNS server to show different answers depending on clients IP’s among other things) Or even just bind9 running on a seperate port with a seperate set of configs.

    Actually, this attack vector I would think is commonly used. Say I were CSIS (Candian CIA) and I was ordered to take over your machine. One thing I could do if you were an avid user of one of a million different “phone home” apps is take over your dns or proxy your connection to a site and alter all occurences of MD5 checksums or whatever, and trick any program on your machine with weak authentication into thinking an update is available.

    Verify any checksum you want, cause without at least encryption, there is no way you can prove it. This is about what is done except theres no man-in-the-middle here, just you blindly accepting the “truth” that your computer has been served.

    World of Warcraft updates anyone? pwn 8million+ FTW!

  • http://radar.oreilly.com/artur/ Artur Bergman

    Bind9:

    You can write a custom DNS server that gives different results to different users.

  • Bind9 Guy

    Artur,

    True. And I am sure you could even just hack up bind a tad as well (hey, why reinvent the wheel). I just figure its easier to not write any code and just use pre-existing tools, such as the iptables+bind setup.

    Although I suppose you could consider the act of writing a config file a bit of minor programming as well depending on how you look at things, no?

    Anyways, fun as usual to point out to the less technically inclined people out there, just how insecure public technology really is. It’s a shame that we only keep the general online population feeling safe through lies and pretending things are something that they aren’t, and that is honest and secure.

    Mind you, I guess sometimes you gotta lower yourself to such a level to catch the real criminals who think the internet is going to help them further destroy society.

  • http://radar.oreilly.com/artur/ Artur Bergman

    Bind9 Guy:

    True, avoiding to write code is always my preferable choice :). However Dan has thankfully written slirpie and hopefully he releases it. No code at all!

    Artur

  • kL

    It’s easy to protect against by using ‘virtualhosts’ (requiring HTTP/1.1 Host header to be correct).

  • urgeay

    well i think that all you have to do is not care so much about the internet.