Feeds

Demo shows how web attack threatens fabric of the universe

All hail the power of DNS rebinding

Next gen security for virtualised datacentres

RSA Showing how the web's underpinnings can be abused to attack assets presumed to be secure, a researcher unveiled a website that can log into a home router and change key settings, such as administrator passwords and servers used to access trusted web destinations.

Rather than creating a trojan or other piece of specialized malware to access servers or other devices behind a firewall, researcher Dan Kaminsky, a director of penetration testing firm IOActive, showed how a web browser can do much the same thing. His demo uses so-called DNS rebinding, an attack technique that uses fraudulent IP addresses to breach a network's security.

DNS rebinding can be used to subvert the same origin policy, which prevents pages or data loaded by one site from being modified by pages or data loaded by a different site. Because a single destination can have more than one IP address associated with it - and because nothing prevents one site from associating itself with anyone else's IP - DNS rebinding attacks fool a browser into letting one site tamper with a server or other resource that normally would be off limits.

"It kind of sort of breaks the entire security model of the web," Kaminsky said of the technique. "At one moment bar.com can point to server in Europe [and] the next moment it can point to a printer down the hall. We were depending on the web security model to prevent this very thing from happening."

To demonstrate the attack in action, he visited a website that opened the browser-based configuration page of a D-Link wireless router and change several key settings. Yes, we know the attack requires the device to use a weak or non-existent administrator password, but that's not the point. The same technique can also be used to tamper with firewalls, databases and other resources that are attached to an IP address. (It's worth pointing out, too, that weak or non-existent passwords are depressingly common.)

And of course, security weakness isn't the fault of a single vendor or even a handful of them. It's the collective fault of everyone who's played a hand in shaping the net over several decades. The protocols that allow a browser to find a website can also be used to sneak past a company's firewall to rifle precious resources.

DNS rebinding isn't the only way whitehat and blackhat hackers have been able to force their way into routers and other network-attached devices. Cross-site script (XSS) attacks, which allow attackers to inject malicious code into trusted web pages, have been known to do the same thing. So has Universal Plug and Play (UPnP), a feature that ethical hacking outfit GNU Citizen in January said made many home routers vulnerable to take-over simply by luring an attached computer to a booby-trapped website.

But those methods are made possible by design flaws, either in the router or in a software component, such as Adobe flash, according to Kaminsky. That means they can be fixed in a relatively short time. Indeed, Adobe today pushed out a major Flash update that Kaminsky said neutralizes the router attack using UPnP.

The update also minimizes much of the damage that could have been caused by Kaminsky's DNS rebinding attack. Previously, Kaminsky could commandeer devices using a host of protocols, including Remote Desktop, Windows file sharing, and proprietary Oracle database calls. Now, the attack is limited to devices with web interfaces.

It's a good thing Adobe has minimized the damage, because the problem itself is not easily fixed. Plenty of legitimate websites balkanize their various services across more than one IP address, making so-called DNS pinning unworkable. Eventually, he says, browser makers will be forced to build in controls, but he said that won't happen for a while.

So in the meantime, IT administrators need to consider the vulnerability carefully when deciding how to attach various devices to their network, and home users should make sure their routers have robust passwords. To that end. Open DNS, a company that provides a safer alternative to ISP-provided DNS lookup, today unveiled a new option that allows users to block suspicious responses, such as those from the outside that provide a URL with an IP address for a router or other internal device.

Beyond that, learn to live with DNS rebinding, Kaminsky said. "This bug is not going away anytime soon." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.