My Grey Cells Burning

Read about DNS rebinding attacks on Slashdot did make curiosity arise and those grey cells urged me to want to find out more about that since several Web and Mail server under my own supervision are working fine now and I of course doesn't want anything bad happen to my babies in the later future.

Query dancing on ChaCha reveals lot infos on DNS rebinding attacks howto which can be seen here and here... and here too. People can download the white paper describing the attack in details. But the easiest explanations can be found at Christian Matthias blog. Basically, this attacks will exploit DNS Pinning to steal informations. In short, "When someone requests a Web site such as www.example.com, the browser needs to perform a DNS lookup on that domain to get the associated numerical address (IP) of the server that hosts the Web site in question. In the next step, the browser sends a query to that IP that moreover contains the domain, a specific Web page and other variables to be able to ultimately retrieve the requested data." More informations and examples can be found at Mr Matthias blog.

Although the concepts look simple, but then the attacker will have hard time implementing it. As said by Mike Malone, "Though the concept is fairly simple, we agreed that it would be difficult to perform this sort of attack in practice. An attacker would need to have intimate knowledge of the victims internal network, or rely on Flash or other web technologies to perform a network scan. Moreover, an attack would end as soon as the victim closed their web browser". In short, get secure or your preferred unsecured browser will betray you silently.

Enough with devouring explanations, curiosity then move me on to this site here at jumperz.com to check whether I can run the exploit on my servers and also this host using the said exploit. This site will sent data from your private ip to www.jumperz.net to demonstrate how easy that is to steal informations using Anti-DNS Pinning attack. For this moment, I only target on localhost, web server and a mail server under my own supervision.

Entering the 127.0.0.1 into the box reveal failed attempt as shown below:

http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1

Please wait for 120 seconds.
f1()
ERROR: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIXMLHttpRequest.send]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1 :: f2 :: line 50" data: no]
ERROR:
ERROR: 0

(Which is differ with the result upon visiting to DNS rebinding site that shows the "We have detected that your browser is vulnerable to efficient DNS rebinding attacks" message).


Exploiting mail server also show failed attempts due to https redirection:

http://1286451923437.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.24.219

<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You\'re speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a href=\"https://mail.gov.my/\"><b>https://mail.gov.my/</b></a></blockquote></p>
</body></html>


And the most interesting result come from my web server with successful attempt(?) and part of the codes are shown below:

http://1184918537.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.35.208

<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<!--[if gte IE 5.5000]>
<script language=\"JavaScript\">
function correctPNG()
{ for(var i=0; i<document.images.length; i++)
{ var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == \"PNG\")
{ var imgID = (img.id) ? \"id=\'\" + img.id + \"\' \" : \"\"
var imgClass = (img.className) ? \"class=\'\" + img.className + \"\' \" : \"\"
var imgTitle = (img.title) ? \"title=\'\" + img.title + \"\' \" : \"title=\'\" + img.alt + \"\' \"
var imgStyle = \"display:inline-block;\" + img.style.cssText
if (img.align == \"left\") imgStyle = \"float:left;\" + imgStyle
if (img.align == \"right\") imgStyle = \"float:right;\" + imgStyle
if (img.parentElement.href) imgStyle = \"cursor:hand;\" + imgStyle
var strNewHTML = \"<span \" + imgID + imgClass + imgTitle
+ \" style=\\\"\" + \"width:\" + img.width + \"px; height:\" + img.height + \"px;\" + imgStyle + \";\"
+ \"filter:progid:DXImageTransform.Microsoft.AlphaImageLoader\"
+ \"(src=\\\'\" + img.src + \"\\\', sizingMethod=\'scale\');\\\"></span>\"
img.outerHTML = strNewHTML
i = i-1
}}}
window.attachEvent(\"onload\", correctPNG);
</script>
<![endif]-->
<title>My Client Website</title>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />
<link href=\"http://www.gov.my/templates/jo_june/css/template_css.css\" rel=\"stylesheet\" type=\"text/css\" />
<link rel=\"shortcut icon\" href=\"http://www.gov.my/templates/jo_june/images/favicon.ico\" />
<link rel=\"shortcut icon\" href=\"http://www.gov.my/images/icon.gif\" /><script type=\"text/javascript\" language=\"javascript\" src=\"http://www.gov.my/templates/jo_june/javascript.js\"></script>
</head><body><div align=\"center\">
<table width=\"820\" height=\"120\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" >
<tr>
<td height=\"96\" valign=\"top\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">
<tr>
<th width=\"820\" height=\"80\" align=\"left\" valign=\"middle\" scope=\"col\" class=\"header\">
<table width=\"856\" height=\"175\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">
<tr>
<th scope=\"col\"><div align=\"left\"></div></th>
<th scope=\"col\"><div align=\"right\"> </div></th></tr></table>
</th></tr><tr>
<th width=\"820\" height=\"40\" align=\"left\" valign=\"bottom\" scope=\"row\" class=\"path\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">
<tr>
<th width=\"320\" align=\"left\" valign=\"middle\" scope=\"col\"><span class=\"pathway\">Laman Utama </span></th>
<th width=\"500\" align=\"left\" valign=\"bottom\" scope=\"col\">
<script type=\"text/javascript\">

one = function() {
var sfEls = document.getElementById(\"top_menu\").getElementsByTagName(\"li\");
for (var i=0; i<sfEls.length; i++) {
sfEls[i].onmouseover=function() {
this.className+=\"one\" }
sfEls[i].onmouseout=function() {
this.className=this.className.replace(new RegExp(\"one\\\\b\"), \"\"); } } }
if (window.attachEvent) window.attachEvent(\"onload\", one);
</script>
<div id=\"top_menu\"><ul id=\"mainlevel-nav\"><li><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php\" class=\"mainlevel-nav\" >Content</a></li></ul></div></th>
</tr></table></th></tr></table></td></tr></table>
<table width=\"856\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" bordercolor=\"#000000\" bgcolor=\"#FFFFFF\">
<tr><td><table width=\"856\" border=\"0\" cellspacing=\"2\" cellpadding=\"0\">
<tr><td width=\"160\" align=\"left\" valign=\"top\"><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\">
<tr><th valign=\"top\">
Content</th></tr><tr><td>
<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_frontpage&Itemid=1\" class=\"mainlevel\" id=\"active_menu\">Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=16&Itemid=26\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=category&sectionid=3&id=7&Itemid=25\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_search&Itemid=5\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_weblinks&Itemid=23\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel\" >Content</a></td></tr>
</table> </td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><td>
<a href=\"index.php?option=com_content&task=view&id=18&Itemid=29\"><img src=\"images/stories/picture.jpg\" border=\"0\" alt=\"messages\" width=\"150\" height=\"65\" /></a>
</td></tr></table><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\">
<tr><td>
<a href=\"https://mail.gov.my/login.php\"><img src=\"images/stories/mail.jpg\" border=\"0\" alt=\"
" width=\"150\" height=\"80\" /></a> </td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><th valign=\"top\">
Content</th></tr><tr><td>
<a href=\"http://link.gov.my/default.asp\" target=\"_blank\"><div style=\"text-align: center\"><img src=\"images/images/logo.jpg\" border=\"0\" alt=\"Name\" width=\"96\" height=\"115\" /></div></a>
</td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr>
<th valign=\"top\">Content</th></tr><tr><td>
<div class=\"syndicate\"><div align=\"center\">
<a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS0.91&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/rss091.gif\" alt=\"RSS 0.91\" name=\"RSS091\" align=\"middle\" border=\"0\" /></a>
</div><div align=\"center\">
<a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS1.0&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/rss10.gif\" alt=\"RSS 1.0\" name=\"RSS10\" align=\"middle\" border=\"0\" /></a>
</div><div align=\"center\">
<div align=\"center\"><a href=\"http://www.gov.my/index.php?option=com_rss&feed=OPML&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/opml.png\" alt=\"OPML\" name=\"OPML\" align=\"middle\" border=\"0\" /></a>
</div></div> </td></tr></table>


So the question now is, How I gonna fix it?

More from Mike, "Nevertheless, a vulnerability clearly exists, and it could be difficult to resolve. Many web sites rely on round robin DNS configurations for load distribution. Since round robin configurations may legitimately return different IP addresses for the same host name, distinguishing malicious DNS rebinding attacks from round robin configurations will be difficult, if not impossible to do." Is that mean my web server is in deep shit?

Several choices can be found through searching on the Vah Vah Vah networks. Disable Javascript would be pain in the ass. Noscript firefox extension can help if not a lot, then a little. Another extension that some people recommends is localrodeo extension that can reduce possibilities for some browser from being exploited for the time being while waiting for another better finalized solutions. Change current DNS nameserver to OpenDNS can help to but obviously not for this kind of problem. Restrict external access to port 80 by means of firewall is also good precaution. But then, no one ever surf the Internet using browser installed within the targeted web server as far as I know which makes the exploits much harder to implement. Is that will make my web server secure?

Continue on the next part cos it's 04:20 a.m. Time to sleep. Need to build printer and file server (Samba) + some printing charging software (GPL of course!) tomorrow as part of charities project for a elementary school that I am working on during free time.