Nick Freeman a.k.a. vt Kiwicon 7 - Security · PDF fileTwitter: @0x7674 Email:...
Transcript of Nick Freeman a.k.a. vt Kiwicon 7 - Security · PDF fileTwitter: @0x7674 Email:...
Disrupting the Norm with Supernatural
Shenanigans
Nick Freeman a.k.a. vt
Kiwicon 7
Twitter: @0x7674 Email: [email protected]
about:me
I am Nick Freeman, or vt
I hack, research and drink lots of coffee at SA.com.
I also head up the Auckland chapter of OWASP.
Stuff: I like it.
If you like this stuff, talk to me later! (bring beer)
Data is stored in bits.
One-bit message
Result of one-bit failure
Hardware Errors: Old News
Vacuum tubes in early
computers would fail. A lot.
ENIAC initially had multiple
failures a day.
After higher-reliability tubes
were available - one every
two days.
Longest contiguous
operating period was 116
hours.
Hardware Errors: Bad News
NORAD Missile Early Warning System – IC failure
Sent a status message regularly:
This one time, a chip got confused:
Activate RESTON 5, 3AM phone calls to the president, etc
200 MISSILES LAUNCHED
000 MISSILES LAUNCHED
Soft Errors
AKA Bit Flips in Memory
1 -> 0
0 -> 1 Became widely known when DRAM showed up in the 70s.
The Good: ECC (Error Correcting Code) memory helps
The Bad: Not everyone uses ECC memory
The Ugly: It can get worse as smaller chip geometries are used
Recent studies suggest 0.2-1 flip per 1GB RAM, per day.
Example 1-bit Exploitation
Attacks Against Microcontrollers
Ross Anderson, 1996:
“Physical attacks on some microcontrollers are almost
trivial. For example, the lock bit of several devices with on-
chip EPROM can be erased by focusing UV light on the
security lock cell, which is located sufficiently far from the
rest of memory.”
Him and his fellow researchers also successfully attacked
microcontrollers by fluctuating power.
Example 1-bit Exploitation
An Experimental Study of Security Vulnerabilities Caused by
Errors
(Xu & Chen & Kalbarczyk & Iyer, 2001)
“…single-bit control flow errors in the authentication sections of targeted
applications can result in significant security vulnerabilities. ”
These dudes targeted an FTPd and SSH Server.
“The results show that out of all activated errors (a) 1-2% compromised
system security (create a permanent window of vulnerability), (b) 43-62%
resulted in crash failures (about 8.5% of these errors create a transient
window of vulnerability)”
Causes
They vary.
Cause #1: Heat
Cause #2: Power Fluctuations
Cause #3: Faulty Equipment
Cause #4: Cosmic Rays
Cause #5: Aliens?
Disrupting the Norm with Supernatural Shenanigans
Yes, I‟m talking about DNS bitsquatting.
Before I tell you my story, a quick recap..
Domain Name System (DNS)
User PC asks ISP NS for A?
WWW.ABC.COM
1. ISP NS asks ROOT-SERVERS (if
not cached) for A?
WWW.ABC.COM. Response tells
ISP NS to ask GTLD-SERVERS.
How DNS Works (real simple like)
User PC asks ISP NS for A?
WWW.ABC.COM
1. ISP NS asks ROOT-SERVERS (if
not cached) for A?
WWW.ABC.COM. Response tells
ISP NS to ask GTLD-SERVERS.
2. ISP NS asks GTLD-SERVERS A?
WWW.ABC.COM. Response tells
ISP NS to ask ABC.COM‟s NS.
How DNS Works (real simple like)
User PC asks ISP NS for A?
WWW.ABC.COM
1. ISP NS asks ROOT-SERVERS (if
not cached) for A?
WWW.ABC.COM. Response tells
ISP NS to ask GTLD-SERVERS.
2. ISP NS asks GTLD-SERVERS A?
WWW.ABC.COM. Response tells
ISP NS to ask ABC.COM‟s NS.
3. ISP NS asks ABC.COM‟s NS A?
WWW.ABC.COM. Response
contains A record for
WWW.ABC.COM, ISP NS caches
response, delivers answer to user.
How DNS Works (real simple like)
User PC asks ISP NS for A?
WWW.ABC.COM
1. ISP NS asks ROOT-SERVERS (if
not cached) for A?
WWW.ABC.COM. Response tells
ISP NS to ask GTLD-SERVERS.
2. ISP NS asks GTLD-SERVERS A?
WWW.ABC.COM. Response tells
ISP NS to ask ABC.COM‟s NS.
3. ISP NS asks ABC.COM‟s NS A?
WWW.ABC.COM. Response
contains A record for
WWW.ABC.COM, ISP NS caches
response, delivers answer to user.
4. End user has IP for
WWW.ABC.COM, can now see
pictures of cats.
Bit Flip Error
1 -> 0
0 -> 1
WWW.ABC.COM -> WWW.ABB.COM
C = 0 1 0 0 0 0 1 1
B = 0 1 0 0 0 0 1 0
If attacker owns ABB.COM, they win
Where Bit-flips Happen
Where Bit-flips Happen (1)
A user‟s computer mangles..
A cached DNS record
Some HTML
An HTTP req/resp
Where Bit-flips Happen (2)
A recursive NS mangles..
A cached DNS record
.. that‟s about it.
Where Bit-flips Happen (3,4,5)
An authoritative (ROOT, TLD
or 2LD NS) mangles..
A DNS record
.. that‟s about it.
This is unlikely for the
ROOT-and TLD servers
(ECC memory, woo)
Where Bit-flips Happen (6)
A web server mangles..
An HTTP req/resp
Static HTML being served
Data in memory
Could be sources in
<script>, <img> tags, etc.
Research To Date
Most research to date has
focused on two attack
vectors:
End user device/app
Web / app server
DNS Bitsquatting - Dinaburg
Artem Dinaburg (Raytheon,
2011) @ BH & DEFCON.
Received plenty of Farmville
data, as well as DRWATSON
outputs and other fun stuff.
Average of 59 hits a day,
couple of freak events
causing up to 3000 hits a day.
Strong focus on domains with
multiple bit-flip vectors.
Artem‟s Registered Domains
ikamai.net doublechick.net 2-dn.net
microsmft.com do5bleclick.net 2edn.net
micrgsoft.com doubleslick.net 2ldn.net
miarosoft.com li6e.com 2mfn.net
iicrosoft.com fbbdn.net 2mln.net
microsnft.com fbgdn.net 2odn.net
mhcrosoft.com gbcdn.net 6mdn.net
eicrosoft.com fjcdn.net 0mdn.net
mic2osoft.com dbcdn.net aeazon.com
micro3oft.com roop-servers.net a-azon.com
gmaml.com amazgn.com
DNS Bitsquatting - Dinaburg
Artem: “In 96% of the cases, the bit-error had occurred
prior to DNS resolution.”
That is:
96% of flips occurred in end user devices.
The other 4% happened.. Where exactly?
DNS Bit Flips - VeriSign
Duane Wessels (VeriSign, 2012) hunted for the other 4%.
Captured 24 hours of DNS traffic from 5 VeriSign sites –
focus on bit flips in transit.
13,031,158,230 QUERIES.
Bit-flip error rate was found to be what was expected.
“We believe that UDP checksums are effective at preventing „bitsquat‟
attacks and other types of errors that occur after a DNS query leaves a
DNS resolver and enters the network.”
DNS Bit Flips – Trogs
At Kiwicon 6, Trogs talked about TradeMe bitflips
Configured DNS server and web server to return answers
for trademe.co.nz as well as his flipped domains
Reasonable bit flip hit rate --- enough to illustrate the issue:
154 unique hosts hit
Over 3000 unique hits
DNS Hazards - Stucke
Robert Stucke (2013) did a follow-up on Artem‟s work. He
registered flips for gstatic.com and psmtp.com.
Gstatic – Serves static content for Google services
Requests to gstatic.com include referer headers, disclosing people’s
search habits
Postini (PSMTP) – Mail provider, now owned by GOOG.
Could result in MiTM of mail for Mozilla, seattle.gov, Deloitte DK,
KPMG HK, and more..
DNS Bit Flips – Schultz
Jaeson Schultz (Cisco, 2013) introduced some new bitsquat
attack vectors not covered by Artem.
Original
Character
Flipped
Character
Example Flipped Domain
. n wi.dowsupdate.com n .
/ o http://ecampus.ph/enix.edu o /
c # http://cgportal2.us#g.mil # c
DNS Bit Flips – Schultz
gTLD (com, net, org) and ccTLD (nz, au, uk) flips
Hadn‟t been discussed previously. Examples used:
kremlin.ru -> kremlin.re (Reunion Islands)
europa.eu -> europa.mu (Mauritius)
Also discussed danger of .tk taking .uk domains
Introduced some new potential mitigations.
DNS Bit Flips – My Research
Most prior art had focus on multi-vector bit flips
DNS
HTTP (server / requests / responses)
End-user devices (Phones/PCs etc)
End-user applications (e.g. browser)
6 months after Artem‟s talk, I shared an idea with #SA
Why not think bigger?
My Registered Domains
ETLD-SERVERS.NET FTLD-SERVERS.NET G4LD-SERVERS.NET GDLD-SERVERS.NET GPLD-SERVERS.NET
GTDD-SERVERS.NET GTHD-SERVERS.NET GTLD-3ERVERS.NET GTLD-CERVERS.NET GTLD-QERVERS.NET
GTLD-RERVERS.NET GTLD-SARVERS.NET GTLD-SDRVERS.NET GTLD-SE2VERS.NET GTLD-SEBVERS.NET
GTLD-SEPVERS.NET GTLD-SER6ERS.NET GTLD-SERFERS.NET GTLD-SERRERS.NET GTLD-SERTERS.NET
GTLD-SERVARS.NET GTLD-SERVDRS.NET GTLD-SERVE2S.NET GTLD-SERVEBS.NET GTLD-SERVEPS.NET
GTLD-SERVER3.NET GTLD-SERVERC.NET GTLD-SERVERQ.NET GTLD-SERVERR.NET GTLD-SERVERW.NET
GTLD-SERVESS.NET GTLD-SERVEVS.NET GTLD-SERVEZS.NET GTLD-SERVGRS.NET GTLD-SERVMRS.NET
GTLD-SERVURS.NET GTLD-SERWERS.NET GTLD-SESVERS.NET GTLD-SEVVERS.NET GTLD-SEZVERS.NET
GTLD-SGRVERS.NET GTLD-SMRVERS.NET GTLD-SURVERS.NET GTLD-WERVERS.NET GTLDMSERVERS.NET
GTLE-SERVERS.NET GTLF-SERVERS.NET GTLL-SERVERS.NET GTLT-SERVERS.NET GTMD-SERVERS.NET
GTND-SERVERS.NET GULD-SERVERS.NET GVLD-SERVERS.NET WTLD-SERVERS.NET
RKOT-SERVERS.NET RMOT-SERVERS.NET RNOT-SERVERS.NET ROGT-SERVERS.NET ROKT-SERVERS.NET
ROMT-SERVERS.NET RONT-SERVERS.NET ROO4-SERVERS.NET ROOP-SERVERS.NET ROOT-3ERVERS.NET
ROOT-QERVERS.NET ROOT-RERVERS.NET ROOT-SARVERS.NET ROOT-SDRVERS.NET ROOT-SE2VERS.NET
ROOT-SEBVERS.NET ROOT-SEPVERS.NET ROOT-SER6ERS.NET ROOT-SERFERS.NET ROOT-SERRERS.NET
ROOT-SERTERS.NET ROOT-SERVARS.NET ROOT-SERVDRS.NET ROOT-SERVE2S.NET ROOT-SERVEBS.NET
ROOT-SERVEPS.NET ROOT-SERVER3.NET ROOT-SERVERC.NET ROOT-SERVERQ.NET ROOT-SERVERR.NET
ROOT-SERVERW.NET ROOT-SERVEVS.NET ROOT-SERVEZS.NET ROOT-SERVGRS.NET ROOT-SERVMRS.NET
ROOT-SERVURS.NET ROOT-SERWERS.NET ROOT-SESVERS.NET ROOT-SEVVERS.NET ROOT-SEZVERS.NET
ROOT-SGRVERS.NET ROOT-SMRVERS.NET ROOT-WERVERS.NET ROOTMSERVERS.NET ROOU-SERVERS.NET
ROOV-SERVERS.NET
My Registered Domains
ETLD-SERVERS.NET FTLD-SERVERS.NET G4LD-SERVERS.NET GDLD-SERVERS.NET GPLD-SERVERS.NET
GTDD-SERVERS.NET GTHD-SERVERS.NET GTLD-3ERVERS.NET GTLD-CERVERS.NET GTLD-QERVERS.NET
GTLD-RERVERS.NET GTLD-SARVERS.NET GTLD-SDRVERS.NET GTLD-SE2VERS.NET GTLD-SEBVERS.NET
GTLD-SEPVERS.NET GTLD-SER6ERS.NET GTLD-SERFERS.NET GTLD-SERRERS.NET GTLD-SERTERS.NET
GTLD-SERVARS.NET GTLD-SERVDRS.NET GTLD-SERVE2S.NET GTLD-SERVEBS.NET GTLD-SERVEPS.NET
GTLD-SERVER3.NET GTLD-SERVERC.NET GTLD-SERVERQ.NET GTLD-SERVERR.NET GTLD-SERVERW.NET
GTLD-SERVESS.NET GTLD-SERVEVS.NET GTLD-SERVEZS.NET GTLD-SERVGRS.NET GTLD-SERVMRS.NET
GTLD-SERVURS.NET GTLD-SERWERS.NET GTLD-SESVERS.NET GTLD-SEVVERS.NET GTLD-SEZVERS.NET
GTLD-SGRVERS.NET GTLD-SMRVERS.NET GTLD-SURVERS.NET GTLD-WERVERS.NET GTLDMSERVERS.NET
GTLE-SERVERS.NET GTLF-SERVERS.NET GTLL-SERVERS.NET GTLT-SERVERS.NET GTMD-SERVERS.NET
GTND-SERVERS.NET GULD-SERVERS.NET GVLD-SERVERS.NET WTLD-SERVERS.NET
RKOT-SERVERS.NET RMOT-SERVERS.NET RNOT-SERVERS.NET ROGT-SERVERS.NET ROKT-SERVERS.NET
ROMT-SERVERS.NET RONT-SERVERS.NET ROO4-SERVERS.NET ROOP-SERVERS.NET ROOT-3ERVERS.NET
ROOT-QERVERS.NET ROOT-RERVERS.NET ROOT-SARVERS.NET ROOT-SDRVERS.NET ROOT-SE2VERS.NET
ROOT-SEBVERS.NET ROOT-SEPVERS.NET ROOT-SER6ERS.NET ROOT-SERFERS.NET ROOT-SERRERS.NET
ROOT-SERTERS.NET ROOT-SERVARS.NET ROOT-SERVDRS.NET ROOT-SERVE2S.NET ROOT-SERVEBS.NET
ROOT-SERVEPS.NET ROOT-SERVER3.NET ROOT-SERVERC.NET ROOT-SERVERQ.NET ROOT-SERVERR.NET
ROOT-SERVERW.NET ROOT-SERVEVS.NET ROOT-SERVEZS.NET ROOT-SERVGRS.NET ROOT-SERVMRS.NET
ROOT-SERVURS.NET ROOT-SERWERS.NET ROOT-SESVERS.NET ROOT-SEVVERS.NET ROOT-SEZVERS.NET
ROOT-SGRVERS.NET ROOT-SMRVERS.NET ROOT-WERVERS.NET ROOTMSERVERS.NET ROOU-SERVERS.NET
ROOV-SERVERS.NET
GTLD-SERVERS.NET
ROOT-SERVERS.NET
How is my research different?
I only get hits from
errors in DNS servers.
My victims are resolvers, not
end users or single servers
Targeting DNS
infrastructure itself, not
single domains.
I can eventually control ALL
domains
I‟ll get fewer „hits‟ than
prior research.
But hits I get affect entire
organisations, not 1 user..
VICTIMS
Exploitation
1. Recursive DNS server experiences a bit
flip, thinks I am the ROOT (or GTLD)
2. WWW.ABC.COM expires in DNS cache
3. User Zero requests WWW.ABC.COM
4. Affected DNS server asks me for
WWW.ABC.COM
5. I can respond with whatever I want.
6. The affected DNS server will send my
response to User Zero and all future
users while the response is cached.
x 1000s, millions?
X
Approach
Listen to everything.
Only respond to requests asking for my domains
(e.g. a.root-3ervers.net)
Avoid Black Helicopters
My Infrastructure
Visio, I guess?
My Daemons
Initially
dlog.py: DNS Logger
Secondly
rt_dlog.py: Real Time dlog
devild.py: Homebrewed DNS server
Eventually
rt_dlog.py
BIND
A neutered devild.py (just logs)
Results?
Geographic Diversity of NS Hits
USA and China: They be busy.
Major Event #1: An ISP/SSL CA
Country: Denmark
Organisation: TDC
Days Affected: 6
Hosts Affected: 1
Number of hits: 49,802
Interesting Hits
crlmaster
_nfsv4idmapdomain
183.101.17.172.in-addr.arpa.
Major Event #2: Some .US ISPs
Country: USA
Organisation: Los Nettos, OCR
Days Affected: 25
Hosts Affected: 6
Number of hits: 334,205
Interesting Hits
wpad
www.update.microsoft.com
teredo.ipv6.microsoft.com
Major Event #3: Massey Uni, NZ
Country: New Zealand
Organisation: Massey Uni
Days Affected: 4
Hosts Affected: 1
Number of hits: 328,304
Interesting Hits
isatap.[lots - telecom, Orcon, localdomain]
alb-cache.massey.ac.nz:8080
_ldap._tcp.dc._msdcs.MASSEY.
Major Event #4: Cingular
Country: USA
Organisation: Cingular
Days Affected: 30
Hosts Affected: 1
Number of hits: 536,061
Interesting Hits
svr-kaseyanew.copcp.local
wpad.conus.ds.dcma.mil
imap.us.army.mil
Major Event #5: Globe Networks
Country: Philippines
Organisation: Globe Networks
Days Affected: Varies
Hosts Affected: 27 over a year
Number of hits: 5,924,079
Interesting Hits
keys.wdf.sap.corp (lots of other *.sap.corp requests)
monroe.army.mil, dobbins.mil, blab.afcent.af.mil
localhost.local, localhost.localdomain
mail.ru&password=1q2w3e4r
But.. but.. DNSSEC stops MiTM?!
DNSSEC only helps if the right question is being asked.
DNSSEC Trust Anchors prevent some MITM.
DNS servers operate in EDNS fall-back mode.
i. A? google.com (EDNS, with DNSSEC)
ii. A? google.com (Smaller EDNS packet, with DNSSEC)
iii. A? google.com (No EDNS, therefore no DNSSEC)
So, no, it won‟t save ya.
What Pwned All Datas?
Oddy did!
At Kiwicon I, Beau Butler
talked about WPAD.
He owned wpad.co.nz – and received a
lot of traffic from confused desktops
looking for a proxy.
MS Fixed the recursion issue – but
root-servers still see WPAD requests.
Most Common Debombinators
Lots of noise - not entirely accurate.
39% of domains never saw a legit request.
What I Could Have Done
MITM‟d lots of people, routing all traffic to real destination
Eon‟s MiTMinator
Accepts connection
Sends no data back
Times out
When the client retries, DNS record has expired. Resolver fetches
new, legit DNS record – client connects to real server, assumes
“glitch in the matrix” (maybe)
Would have required heaps of bandwidth. Also black helicopters.
Solutions?
Well, no.
Mitigations, perhaps
EVERYONE SHOULD USE ECC RAM.
Organisations that run ccTLDs or other TLDs should be
registering flips of their names, and their NSes.
They should also be looking out for other TLDs that are
similar (hint: .tk -> .uk)
Next Steps
Domains going to good homes:
ICANN (Org in charge of ROOT-SERVERS)
Verisign (Org in charge of GTLD-SERVERS)
Still discussing when this will happen, I want to receive a
feed of metadata about future flips. Will hold on to the
domains until this happens.
Try This At Home
Artem‟s bitsquat.py
Urban‟s URLCrazy
Find bit-flips of your favourite domains.
End Of Line
BTW, we‟re hiring! Talk to me!
Big thanks go out to:
Eon
#sa
narc0sis
ConBus Drivers Kerry & Sham
DNC & NZRS (esp. Sebastian Castro)
.. and of course, the Kiwicon crue!