Feeds

Demo shows how web attack threatens fabric of the universe

All hail the power of DNS rebinding

The Power of One eBook: Top reasons to choose HP BladeSystem

RSA Showing how the web's underpinnings can be abused to attack assets presumed to be secure, a researcher unveiled a website that can log into a home router and change key settings, such as administrator passwords and servers used to access trusted web destinations.

Rather than creating a trojan or other piece of specialized malware to access servers or other devices behind a firewall, researcher Dan Kaminsky, a director of penetration testing firm IOActive, showed how a web browser can do much the same thing. His demo uses so-called DNS rebinding, an attack technique that uses fraudulent IP addresses to breach a network's security.

DNS rebinding can be used to subvert the same origin policy, which prevents pages or data loaded by one site from being modified by pages or data loaded by a different site. Because a single destination can have more than one IP address associated with it - and because nothing prevents one site from associating itself with anyone else's IP - DNS rebinding attacks fool a browser into letting one site tamper with a server or other resource that normally would be off limits.

"It kind of sort of breaks the entire security model of the web," Kaminsky said of the technique. "At one moment bar.com can point to server in Europe [and] the next moment it can point to a printer down the hall. We were depending on the web security model to prevent this very thing from happening."

To demonstrate the attack in action, he visited a website that opened the browser-based configuration page of a D-Link wireless router and change several key settings. Yes, we know the attack requires the device to use a weak or non-existent administrator password, but that's not the point. The same technique can also be used to tamper with firewalls, databases and other resources that are attached to an IP address. (It's worth pointing out, too, that weak or non-existent passwords are depressingly common.)

And of course, security weakness isn't the fault of a single vendor or even a handful of them. It's the collective fault of everyone who's played a hand in shaping the net over several decades. The protocols that allow a browser to find a website can also be used to sneak past a company's firewall to rifle precious resources.

DNS rebinding isn't the only way whitehat and blackhat hackers have been able to force their way into routers and other network-attached devices. Cross-site script (XSS) attacks, which allow attackers to inject malicious code into trusted web pages, have been known to do the same thing. So has Universal Plug and Play (UPnP), a feature that ethical hacking outfit GNU Citizen in January said made many home routers vulnerable to take-over simply by luring an attached computer to a booby-trapped website.

But those methods are made possible by design flaws, either in the router or in a software component, such as Adobe flash, according to Kaminsky. That means they can be fixed in a relatively short time. Indeed, Adobe today pushed out a major Flash update that Kaminsky said neutralizes the router attack using UPnP.

The update also minimizes much of the damage that could have been caused by Kaminsky's DNS rebinding attack. Previously, Kaminsky could commandeer devices using a host of protocols, including Remote Desktop, Windows file sharing, and proprietary Oracle database calls. Now, the attack is limited to devices with web interfaces.

It's a good thing Adobe has minimized the damage, because the problem itself is not easily fixed. Plenty of legitimate websites balkanize their various services across more than one IP address, making so-called DNS pinning unworkable. Eventually, he says, browser makers will be forced to build in controls, but he said that won't happen for a while.

So in the meantime, IT administrators need to consider the vulnerability carefully when deciding how to attach various devices to their network, and home users should make sure their routers have robust passwords. To that end. Open DNS, a company that provides a safer alternative to ISP-provided DNS lookup, today unveiled a new option that allows users to block suspicious responses, such as those from the outside that provide a URL with an IP address for a router or other internal device.

Beyond that, learn to live with DNS rebinding, Kaminsky said. "This bug is not going away anytime soon." ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.