Hello I read the article written by Martin Johns. http://shampoo.antville.org/stories/1451301/ It was very interesting for me, and I made an online demonstration. http://www.jumperz.net/index.php?i=2&a=1&b=7 Changing DNS record ( IP address of the attackers host ) to a private address, and stealing information from Intranets. Please try this. ( Please don't send sensitive informations :) By the way, DNS issue is very compricated. If the web browser caches DNS record forever, there will be a problem about dynamic DNS. ( a scenario written at https://bugzilla.mozilla.org/show_bug.cgi?id=162871#c10 ) And if the web browser updates DNS record, attack like Martin's article( and my demonstration ) will become possible. What do you think? IMHO, it is a vulnerability of DNS protocol itself, not of web browsers. Thanks. http://sla.ckers.org/forum/read.php?6,4511,4511#msg-4511 Tue, 18 Jun 2013 20:16:14 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?6,4511,14526#msg-14526 http://sla.ckers.org/forum/read.php?6,4511,14526#msg-14526
But I don't think so. The malicious code on the browser can communicate with the attackers another host using cross domain access technique like JSONP, FLASH with valid crossdomain.xml ( or policy-server ).

So we don't need Multi-Pin. Single-pin ( to the target host ) is enough.]]> Kanatoko Networking Fri, 10 Aug 2007 09:43:10 -0500 http://sla.ckers.org/forum/read.php?6,4511,14500#msg-14500 http://sla.ckers.org/forum/read.php?6,4511,14500#msg-14500
>That paper has been posted here by christ1an some days ago

I didn't know that. thanks.
In that paper, my web site is called as "black-hat community". lol

>FYI, I'm currently implementing its "same subnet" anti-rebinding
> policy (both in IPV4 and IPV6) as a new NoScript feature that I call "DNS Nailing".

Wow, you are Mr.NoScript! Great.
I have used NoScript for months and it really works well. Thanks.
I'll buy you a drink when you come to Tokyo :)]]> Kanatoko Networking Thu, 09 Aug 2007 10:31:10 -0500 http://sla.ckers.org/forum/read.php?6,4511,14490#msg-14490 http://sla.ckers.org/forum/read.php?6,4511,14490#msg-14490
FYI, I'm currently implementing its "same subnet" anti-rebinding policy (both in IPV4 and IPV6) as a new NoScript feature that I call "DNS Nailing".]]> ma1 Networking Thu, 09 Aug 2007 06:28:58 -0500 http://sla.ckers.org/forum/read.php?6,4511,14489#msg-14489 http://sla.ckers.org/forum/read.php?6,4511,14489#msg-14489 I like this term because it represents the issue correctly.

And, just FYI
"Protecting Browsers from DNS Rebinding Attacks" by Stanford University
http://crypto.stanford.edu/dns/]]> Kanatoko Networking Thu, 09 Aug 2007 05:32:35 -0500 http://sla.ckers.org/forum/read.php?6,4511,13978#msg-13978 http://sla.ckers.org/forum/read.php?6,4511,13978#msg-13978
Following the news the other day that IE doesn't actively implement DNS-Pinning; it seems Firefox (2.0.0.4) DNS pinning is either non-existent or somewhat strange too.

Take a look and let me know what you think http://getahead.org/blog/mark .

Goodwinster]]> goodwinster Networking Thu, 19 Jul 2007 14:24:32 -0500 http://sla.ckers.org/forum/read.php?6,4511,13265#msg-13265 http://sla.ckers.org/forum/read.php?6,4511,13265#msg-13265 http://christ1an.blogspot.com/2007/07/dns-pinning-explained.html]]> christ1an Networking Tue, 03 Jul 2007 05:44:01 -0500 http://sla.ckers.org/forum/read.php?6,4511,11355#msg-11355 http://sla.ckers.org/forum/read.php?6,4511,11355#msg-11355 rsnake Networking Tue, 08 May 2007 20:19:40 -0500 http://sla.ckers.org/forum/read.php?6,4511,10776#msg-10776 http://sla.ckers.org/forum/read.php?6,4511,10776#msg-10776 I hope this is right :)

"DNS Spoofing"
-----
An attack technique that break the same origin policy based on the hostname, by changing the DNS
-----

"DNS Pinning"
-----
Can be called as "Anti-DNS Spoofing".
Pins the DNS cache.
Implemented by Browsers and Java Applet
-----

"Anti-DNS Pinning"
-----
Breaking the DNS Pinning by making the browser fail the connecting attempt.
(Please read the Martin's article for more detail )
-----



And, FLASH is simpley vulnerable to The DNS Spoofing :)]]> Kanatoko Networking Tue, 24 Apr 2007 15:01:42 -0500 http://sla.ckers.org/forum/read.php?6,4511,10770#msg-10770 http://sla.ckers.org/forum/read.php?6,4511,10770#msg-10770 http://www.cs.princeton.edu/sip/news/sun-02-22-96.html

11 years ago! :p]]> Kanatoko Networking Tue, 24 Apr 2007 13:36:47 -0500 http://sla.ckers.org/forum/read.php?6,4511,9587#msg-9587 http://sla.ckers.org/forum/read.php?6,4511,9587#msg-9587 hackathology Networking Fri, 06 Apr 2007 09:15:00 -0500 http://sla.ckers.org/forum/read.php?6,4511,6488#msg-6488 http://sla.ckers.org/forum/read.php?6,4511,6488#msg-6488
Martin's blog:http://shampoo.antville.org/stories/1566124/
Demo:http://www.jumperz.net/index.php?i=2&a=1&b=9]]> Kanatoko Networking Mon, 05 Feb 2007 14:57:52 -0600 http://sla.ckers.org/forum/read.php?6,4511,6486#msg-6486 http://sla.ckers.org/forum/read.php?6,4511,6486#msg-6486 >Can you supply us with the source to the Flash Actionscript?

Do you mean the source code of the FLASH file?
If so, it has been here. http://www.jumperz.net/exploits/aflash.mxml.txt
I have updated my demo and now it is faster than the old version as you say in your blog, but the FLASH file is not changed.
I just remove the JavaScript part.

WhiteAcid
Thanks to your information about Ubuntu!]]> Kanatoko Networking Mon, 05 Feb 2007 14:53:27 -0600 http://sla.ckers.org/forum/read.php?6,4511,6429#msg-6429 http://sla.ckers.org/forum/read.php?6,4511,6429#msg-6429 I can confirm that it works with Flash 9 on Ubuntu too.]]> WhiteAcid Networking Sun, 04 Feb 2007 21:13:56 -0600 http://sla.ckers.org/forum/read.php?6,4511,6427#msg-6427 http://sla.ckers.org/forum/read.php?6,4511,6427#msg-6427 rsnake Networking Sun, 04 Feb 2007 20:58:56 -0600 http://sla.ckers.org/forum/read.php?6,4511,6253#msg-6253 http://sla.ckers.org/forum/read.php?6,4511,6253#msg-6253
*FLASH does not pin DNS* :)

I thought that FLASH will pin the DNS cache so we need to use the
"classical" way ( shutting down the web server, using the closed port, using the firewall etc) same as JavaScript.

But FLASH does the name resolution by itself, not depend on the web
browsers ( maybe but depend on the OS ).
I mean, there is no relationship between FLASH and the web browsers on
the DNS cache and the name resolution.
The web browsers( IE, Firefox and Opera ) pin the DNS cache.
FLASH does not pins the DNS cache on the other hand.

FLASH discards the old DNS cache after the TTL has passed.
We don't need to use any techniques to make FLASH refresh the DNS cache.
We just need to wait.

So attacking FLASH is very easy.

I noticed this thing and updated my demohttp://www.jumperz.net/index.php?i=2&a=1&b=8.
The source code of the demo becomes very simple now ( because there is no
need to use the closed port ).

It may be inappropriate that I named this article as "Anti-DNS Pinning + Socket in FLASH" because there is no DNS Pinning ... :p

How should we name this attack vector( breaking the same origin policy based on the hostname, by changing the DNS )?]]> Kanatoko Networking Thu, 01 Feb 2007 12:54:57 -0600 http://sla.ckers.org/forum/read.php?6,4511,5361#msg-5361 http://sla.ckers.org/forum/read.php?6,4511,5361#msg-5361 rsnake Networking Tue, 16 Jan 2007 17:57:24 -0600 http://sla.ckers.org/forum/read.php?6,4511,5337#msg-5337 http://sla.ckers.org/forum/read.php?6,4511,5337#msg-5337
Application, when it is requested, checks for special cookie. If the cookie is absent, it is set with the explicit domain parameter and the browser is redirected to the app. again with additional parameter which is a hash of that cookie. If the cookie was not set successfully or is wrong, then DNS was spoofed.]]> bubenrazuma Networking Tue, 16 Jan 2007 03:59:17 -0600 http://sla.ckers.org/forum/read.php?6,4511,5336#msg-5336 http://sla.ckers.org/forum/read.php?6,4511,5336#msg-5336 bubenrazuma Networking Tue, 16 Jan 2007 03:39:28 -0600 http://sla.ckers.org/forum/read.php?6,4511,5169#msg-5169 http://sla.ckers.org/forum/read.php?6,4511,5169#msg-5169
http://www.jumperz.net/exploits/aflash.mxml.txt http://www.jumperz.net/exploits/aflash.mxml.txt]]> Kanatoko Networking Fri, 12 Jan 2007 14:15:58 -0600 http://sla.ckers.org/forum/read.php?6,4511,5166#msg-5166 http://sla.ckers.org/forum/read.php?6,4511,5166#msg-5166 rsnake Networking Fri, 12 Jan 2007 13:48:03 -0600 http://sla.ckers.org/forum/read.php?6,4511,5091#msg-5091 http://sla.ckers.org/forum/read.php?6,4511,5091#msg-5091 http://www.jumperz.net/index.php?i=2&a=3&b=3
This is about Anti-DNS Pinning + Socket in FLASH.

Please enjoy :)]]> Kanatoko Networking Thu, 11 Jan 2007 14:42:01 -0600 http://sla.ckers.org/forum/read.php?6,4511,5068#msg-5068 http://sla.ckers.org/forum/read.php?6,4511,5068#msg-5068
To make the browser refresh the DNS record, we need to...

--
Step1: wait to the DNS record ( already in the browser cache ) to expire.
Step2: make the browser access to a closed port.
--

::About Step1::
On IE and Opera, the time needed is same as the TTL value of the DNS record.
So this value can be very short.
I use 8 seconds in my demo.

On Firefox, the time needed is about 120 seconds at short.
This value ( 120 ) is regardless of the TTL value in the DNS record.
So we need to wait relatively long, to attack Firefox.


::About Step2::
There is no need to repeat this step multiple times.
Once is enough, on all browsers.
(kuza55 was right)]]> Kanatoko Networking Wed, 10 Jan 2007 23:25:44 -0600 http://sla.ckers.org/forum/read.php?6,4511,4581#msg-4581 http://sla.ckers.org/forum/read.php?6,4511,4581#msg-4581
You are right. I have tested with connectiong to port 81 only one time, and the demo works. Thanks. I'll have more tests.


jungsonn

Sorry, I meant 'JavaScript' not 'JSP(Java)'.]]> Kanatoko Networking Fri, 29 Dec 2006 12:34:07 -0600 http://sla.ckers.org/forum/read.php?6,4511,4570#msg-4570 http://sla.ckers.org/forum/read.php?6,4511,4570#msg-4570 rsnake Networking Fri, 29 Dec 2006 10:17:30 -0600 http://sla.ckers.org/forum/read.php?6,4511,4563#msg-4563 http://sla.ckers.org/forum/read.php?6,4511,4563#msg-4563
At the moment i'm hacking a fresh copy of FireFox 2 to roll my own browser with a lot of modifications, and there is alot to be done: remove caching, no history, no password saver, strip the anti phishing filter, all phone home objects to mozilla, google, standard no-script & tor build in, stripping toolbars and more features. And i also plan to build a signal to noise function in it, which runs a low process in the background imitating a causual surfer while i'm browsing myself or when i'm idle. (this to prevent traffic analysis), which is the next big thing when everything is encrypted, It's very hard to protect your self from traffic analysis. Packets can be tunneled/encrypted, but remains vulnerable to traffic analysis. If packet A is this size encrypted, it should be this size unencrypted. If packet B is this size as a request, and the response packet C is this size from a website. I can calculate what the site is you are visiting, dispite tunneling. which can be analysed by looking at the packetsizes. So signal to noise could solve that.

btw kanatoko: where do you have the source? I can't find it on your site.]]> jungsonn Networking Fri, 29 Dec 2006 05:30:56 -0600 http://sla.ckers.org/forum/read.php?6,4511,4557#msg-4557 http://sla.ckers.org/forum/read.php?6,4511,4557#msg-4557 rsnake Networking Thu, 28 Dec 2006 22:32:28 -0600 http://sla.ckers.org/forum/read.php?6,4511,4549#msg-4549 http://sla.ckers.org/forum/read.php?6,4511,4549#msg-4549 -------------------------------------------------------
> That's really interesting, Kuza55, thanks for
> sending the link... But if you had a PHP include
> vuln on that site, I'd be way more worried about
> other things like using it as a shell or as a
> robot or whatever...


Oh of course, and if you had a php include vuln ina a site you would be able to do whatever you wanted, this is more for attacking sites on shared hosting. Either because you can get an account on the machine, or you found an include vuln in a site on the smae box.]]> kuza55 Networking Thu, 28 Dec 2006 18:22:20 -0600 http://sla.ckers.org/forum/read.php?6,4511,4545#msg-4545 http://sla.ckers.org/forum/read.php?6,4511,4545#msg-4545 rsnake Networking Thu, 28 Dec 2006 17:51:56 -0600 http://sla.ckers.org/forum/read.php?6,4511,4541#msg-4541 http://sla.ckers.org/forum/read.php?6,4511,4541#msg-4541
rsnake Wrote:
-------------------------------------------------------
> Cross domain policies doesn't apply to
> ports. Poof. Great find!

Speaking of cross domain policies not applying to ports, you've probably already seen this, but just in case you haven't, this is another ineteresting way of exploiting the fact that cross domain policies disregard ports: http://blog.php-security.org/archives/62-Cross-Virtual-Host-Cookie-Theft.html]]> kuza55 Networking Thu, 28 Dec 2006 17:00:26 -0600 http://sla.ckers.org/forum/read.php?6,4511,4539#msg-4539 http://sla.ckers.org/forum/read.php?6,4511,4539#msg-4539
Technical details of the demo.
#I'm very sorry for my poor English
( I wrote URLs as 'htp://', not 'http://' to avoid auto link )

1. The user enters his private IP address ( for example, 192.168.0.1 ) and click 'start'.

2. The form executed, the browser jumps to htp://www.jumperz.net/exploits/dnsp2.jsp, with a parameter 'address=192.168.0.1'.

3. An unique string is generated ( actually a time, milliseconds like '1166986089765' ).
This string will be used as a 'one time subdomain'.
A DNS record is added to the configuration file of djbdns( http://cr.yp.to/djbdns.html ).

In this case, the line added to the configuration file will be '=1166986089765.jumperz.net:218.45.25.195:8'.
This line means:
hostname = 1166986089765.jumperz.net
ip address = 218.45.25.195
ttl = 8 seconds

4. A system command that makes djbdns reload the configuration file is executed.

5. The HTTP response is sent to the browser. This response looks like this:
---
HTTP/1.1 302 found
Location: htp://1166986089765.jumperz.net/exploits/dnsp3.jsp?address=192.168.0.1

---

6. The browser redirected to 'htp://1166986089765.jumperz.net/exploits/dnsp3.jsp?address=192.168.0.1'.
At this time, 1166986089765.jumperz.net is binded to 218.45.25.195( attackers web server ), So the browser access to 218.45.25.195.

7. dnsp3.jsp changes the DNS record and makes djbdns reload the configuration file.
In this case, a line in the djbdns configuration file is replaced as:

before:
=1166986089765.jumperz.net:218.45.25.195:8

after:
=1166986089765.jumperz.net:192.168.0.1:600

And the page that contains the malicious script is loaded to the browser.

8. The scripts starts.

9. After sleeping a few seconds, the script makes the browser to access to 'htp://1166986089765.jumperz.net:81/'.
At this time the browser try to access to 218.45.25.195.
Because the port 81 ( of 218.45.25.195 ) is closed, the request fails.
The script repeats this ( trying access to port 81 ) a few times.

10. The browser lookups DNS record.
As described at '7', at this time '1166986089765.jumperz.net' is binded to '192.168.0.1'.

11. The script makes the browser access to 'htp://1166986089765.jumperz.net/'.
The HTTP request is actually sent to 192.168.0.1.
The script can access the content of the HTTP response, because of the 'same origin policy'.
The data is set to the form element and sent to www.jumperz.net.


For more details, please see the sourse code of the dnsp3.jsp.
And if you have questions, please feel free to ask me.

Thanks]]> Kanatoko Networking Thu, 28 Dec 2006 14:43:11 -0600