Tools Exploits Advisories Articles Home 

Articles  ->  Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH

Socket in FLASH

With Anti-DNS Pinning ( or DNS Rebinding, more correctly in this case ), we can break the same-origin policy.
Not only JavaScript, but also FLASH and Java Applet are affected.

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ).

--Quoted from the documentation--
The Socket class enables ActionScript code to make socket connections and to read and write raw binary data.
The Socket class is useful for working with servers that use binary protocols.

This is a really great function for the attackers. With DNS Rebinding + Socket, the attackers can...
- Scan any IP addresses and any ports in intranets ( and the Internet ).
- Make the users browser send shellcodes to any hosts.
- Make the users browser send spam emails.
- Use the users browser as a proxy ( stepping stone ).
- Break any IP address based authentication.
- Exploit protocols other than HTTP.
... and maybe more.

You can see the DEMO.

Java Applet

Java Applet is relatively secure because the Java VM "pins" DNS by default.
Sun's engineers know DNS Spoofing attack.
InetAddress Javadoc

--Quoted from the documentation--
The positive caching is there to guard against DNS spoofing attacks
networkaddress.cache.ttl (default: -1)
 A value of -1 indicates "cache forever".

But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.

Who is wrong?

IMHO, this is a vulnerability of DNS protocol itself.
But I think that if the browser raises an alert box when IP address of the host has changed ( Especially, from a grobal IP address to a private IP address ), that will be some help.


- Disable FLASH Player ( and Java VM ) on the browser.
- Restrict browser access to only port 80 and 443 using a personal firewall.
- Do not use IP address based authentication. Set passwords.
- Patch your FLASH binary file ( Flash9.ocx or NPSWF32.dll ). Replace all "Socket" to "S0cket" using hex editor.


Online Demonstration ( FLASH )
Online Demonstration ( JavaScript )
(somewhat) breaking the same-origin policy by undermining dns-pinning(It's a shampoo world anyway)
ActionScript 3.0 Language Reference Class InetAddress
Anti DNS-pinning revisited(It's a shampoo world anyway)

>> Tools:
Doorman Eclipse Plugin

>> Latest files:

>> Contact:
twitter: @kinyuka

Copyrightę 1998-2012 JUMPERZ.NET All Rights Reserved.