Network administrators beware: A quirk of the Web's addressing and name system can be turned with little difficulty into a way for attackers to tunnel behind firewalls, piggybacking on surfer's Web browsers.
So warns IOactive Director of Penetration Testing Services Dan Kaminsky, a brilliant hacker with the manic charisma of a stand-up comedian, whose "Black Ops" series of talks are inevitably a centerpiece of Black Hat and Chaos Computer Club conferences.
Speaking at this year's Chaos Communication Camp (and echoing talks given several times over the past few weeks), he focused on a vulnerability in Web browsers and common applications such as Flash, newly discovered, but drawing on a problem first outlined by Princeton researchers in 1996.
"This is a problem so old, people forgot and have started building it back in," Kaminsky said.
In a nutshell: Web browsers are built so they can run pieces of several different Web pages at once, in separate frames. These frames aren't supposed to communicate if they're served by different domain names, however. In theory, this keeps spyonu.com from running a hotmail.com frame in the middle of its Web page, and thus reading all its visitors' emails, for example.
This so-called "Same Origin" feature has a gigantic loophole, however: It monitors only domain names, not the IP addresses that underly them. Many big Web sites are served from a variety of servers, for load balancing and other technical reasons, and so in fact construct a single page from a number of IP addresses.
Using a trick called DNS rebinding, Kaminsky and others have shown that it is feasible to trick Web browsers running active plugins such as Java and Flash into calling several different IP addresses while thinking that they are all connected to the same domain name. If one of those IP addresses is an internal network address – say, a resource behind a firewall on a corporate network -- the attacker setting up the Web page can gain access to internal resources by piggybacking in through the confused Web browser.
A group of students and professors at Stanford demonstrated the danger of this attack a few weeks ago, buying a Flash ad on a small advertising network for less than $100, and finding more than 30,000 vulnerable computers in the course of three days.
The upshot? Using the Stanford method, or several tools like the ones that Kaminsky developed himself for his tests (he says he's found several different ways to perform the rebinding trick), malicious hackers could steal information from behind a corporate firewall, run applications though the remote browsers, or force firewall-protected computers to become spam-sending robots.
Does this make Flash and Java, and the basic Web browser wholly unsafe to use? The vulnerability is certainly widespread, and the Stanford group has suggested a range of updates to firewalls and plugins that might be helpful.
Kaminsky is less sanguine, at least in the short term. "If you don't want to send spam," he said. "Don't go to the Web."
