Tools Exploits Advisories Articles Home 

Articles  ->  Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH


Socket in FLASH


With Anti-DNS Pinning ( or DNS Rebinding, more correctly in this case ), we can break the same-origin policy.
Not only JavaScript, but also FLASH and Java Applet are affected.

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ).

--Quoted from the documentation--
The Socket class enables ActionScript code to make socket connections and to read and write raw binary data.
The Socket class is useful for working with servers that use binary protocols.
----

This is a really great function for the attackers. With DNS Rebinding + Socket, the attackers can...
- Scan any IP addresses and any ports in intranets ( and the Internet ).
- Make the users browser send shellcodes to any hosts.
- Make the users browser send spam emails.
- Use the users browser as a proxy ( stepping stone ).
- Break any IP address based authentication.
- Exploit protocols other than HTTP.
... and maybe more.

You can see the DEMO.



Java Applet


Java Applet is relatively secure because the Java VM "pins" DNS by default.
Sun's engineers know DNS Spoofing attack.
InetAddress Javadoc

--Quoted from the documentation--
The positive caching is there to guard against DNS spoofing attacks
...
networkaddress.cache.ttl (default: -1)
 A value of -1 indicates "cache forever".
----

But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.


Who is wrong?


IMHO, this is a vulnerability of DNS protocol itself.
But I think that if the browser raises an alert box when IP address of the host has changed ( Especially, from a grobal IP address to a private IP address ), that will be some help.


Countermeasures


- Disable FLASH Player ( and Java VM ) on the browser.
- Restrict browser access to only port 80 and 443 using a personal firewall.
- Do not use IP address based authentication. Set passwords.
- Patch your FLASH binary file ( Flash9.ocx or NPSWF32.dll ). Replace all "Socket" to "S0cket" using hex editor.


Links


SLA.CKERS
Online Demonstration ( FLASH )
Online Demonstration ( JavaScript )
(somewhat) breaking the same-origin policy by undermining dns-pinning(It's a shampoo world anyway)
ActionScript 3.0 Language Reference
java.net Class InetAddress
Anti DNS-pinning revisited(It's a shampoo world anyway)
ha.ckers.org
pilorz
ferruh.mavituna
alt.mylife





>> Tools:
Doorman Eclipse Plugin
Amberjack@JUMPERZ.NET
Guardian@JUMPERZ.NET


>> Latest files:
MonjaDB


>> Contact:
Kanatoko
twitter: @kinyuka


Copyrightę 1998-2012 JUMPERZ.NET All Rights Reserved.