Disrupting the Norm with Supernatural

Shenanigans

Nick Freeman a.k.a. vt

Kiwicon 7

Twitter: @0x7674 Email: nick.freeman@security-assessment.com

about:me

I am Nick Freeman, or vt

I hack, research and drink lots of coffee at SA.com.

I also head up the Auckland chapter of OWASP.

Stuff: I like it.

If you like this stuff, talk to me later! (bring beer)

Data is stored in bits.

One-bit message

Result of one-bit failure

Hardware Errors: Old News

Vacuum tubes in early

computers would fail. A lot.

ENIAC initially had multiple

failures a day.

After higher-reliability tubes

were available - one every

two days.

Longest contiguous

operating period was 116

hours.

Hardware Errors: Bad News

NORAD Missile Early Warning System – IC failure

Sent a status message regularly:

This one time, a chip got confused:

Activate RESTON 5, 3AM phone calls to the president, etc

200 MISSILES LAUNCHED

000 MISSILES LAUNCHED

Soft Errors

AKA Bit Flips in Memory

1 -> 0

0 -> 1 Became widely known when DRAM showed up in the 70s.

The Good: ECC (Error Correcting Code) memory helps

The Bad: Not everyone uses ECC memory

The Ugly: It can get worse as smaller chip geometries are used

Recent studies suggest 0.2-1 flip per 1GB RAM, per day.

Example 1-bit Exploitation

Attacks Against Microcontrollers

Ross Anderson, 1996:

“Physical attacks on some microcontrollers are almost

trivial. For example, the lock bit of several devices with on-

chip EPROM can be erased by focusing UV light on the

security lock cell, which is located sufficiently far from the

rest of memory.”

Him and his fellow researchers also successfully attacked

microcontrollers by fluctuating power.

Example 1-bit Exploitation

An Experimental Study of Security Vulnerabilities Caused by

Errors

(Xu & Chen & Kalbarczyk & Iyer, 2001)

“…single-bit control flow errors in the authentication sections of targeted

applications can result in significant security vulnerabilities. ”

These dudes targeted an FTPd and SSH Server.

“The results show that out of all activated errors (a) 1-2% compromised

system security (create a permanent window of vulnerability), (b) 43-62%

resulted in crash failures (about 8.5% of these errors create a transient

window of vulnerability)”

Causes

They vary.

Cause #1: Heat

Cause #2: Power Fluctuations

Cause #3: Faulty Equipment

Cause #4: Cosmic Rays

Cause #5: Aliens?

Disrupting the Norm with Supernatural Shenanigans

Yes, I‟m talking about DNS bitsquatting.

Before I tell you my story, a quick recap..

Domain Name System (DNS)

User PC asks ISP NS for A?

WWW.ABC.COM

1. ISP NS asks ROOT-SERVERS (if

not cached) for A?

WWW.ABC.COM. Response tells

ISP NS to ask GTLD-SERVERS.

How DNS Works (real simple like)

User PC asks ISP NS for A?

WWW.ABC.COM

1. ISP NS asks ROOT-SERVERS (if

not cached) for A?

WWW.ABC.COM. Response tells

ISP NS to ask GTLD-SERVERS.

2. ISP NS asks GTLD-SERVERS A?

WWW.ABC.COM. Response tells

ISP NS to ask ABC.COM‟s NS.

How DNS Works (real simple like)

User PC asks ISP NS for A?

WWW.ABC.COM

1. ISP NS asks ROOT-SERVERS (if

not cached) for A?

WWW.ABC.COM. Response tells

ISP NS to ask GTLD-SERVERS.

2. ISP NS asks GTLD-SERVERS A?

WWW.ABC.COM. Response tells

ISP NS to ask ABC.COM‟s NS.

3. ISP NS asks ABC.COM‟s NS A?

WWW.ABC.COM. Response

contains A record for

WWW.ABC.COM, ISP NS caches

response, delivers answer to user.

How DNS Works (real simple like)

User PC asks ISP NS for A?

WWW.ABC.COM

1. ISP NS asks ROOT-SERVERS (if

not cached) for A?

WWW.ABC.COM. Response tells

ISP NS to ask GTLD-SERVERS.

2. ISP NS asks GTLD-SERVERS A?

WWW.ABC.COM. Response tells

ISP NS to ask ABC.COM‟s NS.

3. ISP NS asks ABC.COM‟s NS A?

WWW.ABC.COM. Response

contains A record for

WWW.ABC.COM, ISP NS caches

response, delivers answer to user.

4. End user has IP for

WWW.ABC.COM, can now see

pictures of cats.

Bit Flip Error

1 -> 0

0 -> 1

WWW.ABC.COM -> WWW.ABB.COM

C = 0 1 0 0 0 0 1 1

B = 0 1 0 0 0 0 1 0

If attacker owns ABB.COM, they win

Where Bit-flips Happen

Where Bit-flips Happen (1)

A user‟s computer mangles..

A cached DNS record

Some HTML

An HTTP req/resp

Where Bit-flips Happen (2)

A recursive NS mangles..

A cached DNS record

.. that‟s about it.

Where Bit-flips Happen (3,4,5)

An authoritative (ROOT, TLD

or 2LD NS) mangles..

A DNS record

.. that‟s about it.

This is unlikely for the

ROOT-and TLD servers

(ECC memory, woo)

Where Bit-flips Happen (6)

A web server mangles..

An HTTP req/resp

Static HTML being served

Data in memory

Could be sources in

<script>, <img> tags, etc.

Research To Date

Most research to date has

focused on two attack

vectors:

End user device/app

Web / app server

DNS Bitsquatting - Dinaburg

Artem Dinaburg (Raytheon,

2011) @ BH & DEFCON.

Received plenty of Farmville

data, as well as DRWATSON

outputs and other fun stuff.

Average of 59 hits a day,

couple of freak events

causing up to 3000 hits a day.

Strong focus on domains with

multiple bit-flip vectors.

Artem‟s Registered Domains

ikamai.net doublechick.net 2-dn.net

microsmft.com do5bleclick.net 2edn.net

micrgsoft.com doubleslick.net 2ldn.net

miarosoft.com li6e.com 2mfn.net

iicrosoft.com fbbdn.net 2mln.net

microsnft.com fbgdn.net 2odn.net

mhcrosoft.com gbcdn.net 6mdn.net

eicrosoft.com fjcdn.net 0mdn.net

mic2osoft.com dbcdn.net aeazon.com

micro3oft.com roop-servers.net a-azon.com

gmaml.com amazgn.com

DNS Bitsquatting - Dinaburg

Artem: “In 96% of the cases, the bit-error had occurred

prior to DNS resolution.”

That is:

96% of flips occurred in end user devices.

The other 4% happened.. Where exactly?

DNS Bit Flips - VeriSign

Duane Wessels (VeriSign, 2012) hunted for the other 4%.

Captured 24 hours of DNS traffic from 5 VeriSign sites –

focus on bit flips in transit.

13,031,158,230 QUERIES.

Bit-flip error rate was found to be what was expected.

“We believe that UDP checksums are effective at preventing „bitsquat‟

attacks and other types of errors that occur after a DNS query leaves a

DNS resolver and enters the network.”

DNS Bit Flips – Trogs

At Kiwicon 6, Trogs talked about TradeMe bitflips

Configured DNS server and web server to return answers

for trademe.co.nz as well as his flipped domains

Reasonable bit flip hit rate --- enough to illustrate the issue:

154 unique hosts hit

Over 3000 unique hits

DNS Hazards - Stucke

Robert Stucke (2013) did a follow-up on Artem‟s work. He

registered flips for gstatic.com and psmtp.com.

Gstatic – Serves static content for Google services

Requests to gstatic.com include referer headers, disclosing people’s

search habits

Postini (PSMTP) – Mail provider, now owned by GOOG.

Could result in MiTM of mail for Mozilla, seattle.gov, Deloitte DK,

KPMG HK, and more..

DNS Bit Flips – Schultz

Jaeson Schultz (Cisco, 2013) introduced some new bitsquat

attack vectors not covered by Artem.

Original

Character

Flipped

Character

Example Flipped Domain

. n wi.dowsupdate.com n .

/ o http://ecampus.ph/enix.edu o /

c # http://cgportal2.us#g.mil # c

DNS Bit Flips – Schultz

gTLD (com, net, org) and ccTLD (nz, au, uk) flips

Hadn‟t been discussed previously. Examples used:

kremlin.ru -> kremlin.re (Reunion Islands)

europa.eu -> europa.mu (Mauritius)

Also discussed danger of .tk taking .uk domains

Introduced some new potential mitigations.

DNS Bit Flips – My Research

Most prior art had focus on multi-vector bit flips

DNS

HTTP (server / requests / responses)

End-user devices (Phones/PCs etc)

End-user applications (e.g. browser)

6 months after Artem‟s talk, I shared an idea with #SA

Why not think bigger?

My Registered Domains

ETLD-SERVERS.NET FTLD-SERVERS.NET G4LD-SERVERS.NET GDLD-SERVERS.NET GPLD-SERVERS.NET

GTDD-SERVERS.NET GTHD-SERVERS.NET GTLD-3ERVERS.NET GTLD-CERVERS.NET GTLD-QERVERS.NET

GTLD-RERVERS.NET GTLD-SARVERS.NET GTLD-SDRVERS.NET GTLD-SE2VERS.NET GTLD-SEBVERS.NET

GTLD-SEPVERS.NET GTLD-SER6ERS.NET GTLD-SERFERS.NET GTLD-SERRERS.NET GTLD-SERTERS.NET

GTLD-SERVARS.NET GTLD-SERVDRS.NET GTLD-SERVE2S.NET GTLD-SERVEBS.NET GTLD-SERVEPS.NET

GTLD-SERVER3.NET GTLD-SERVERC.NET GTLD-SERVERQ.NET GTLD-SERVERR.NET GTLD-SERVERW.NET

GTLD-SERVESS.NET GTLD-SERVEVS.NET GTLD-SERVEZS.NET GTLD-SERVGRS.NET GTLD-SERVMRS.NET

GTLD-SERVURS.NET GTLD-SERWERS.NET GTLD-SESVERS.NET GTLD-SEVVERS.NET GTLD-SEZVERS.NET

GTLD-SGRVERS.NET GTLD-SMRVERS.NET GTLD-SURVERS.NET GTLD-WERVERS.NET GTLDMSERVERS.NET

GTLE-SERVERS.NET GTLF-SERVERS.NET GTLL-SERVERS.NET GTLT-SERVERS.NET GTMD-SERVERS.NET

GTND-SERVERS.NET GULD-SERVERS.NET GVLD-SERVERS.NET WTLD-SERVERS.NET

RKOT-SERVERS.NET RMOT-SERVERS.NET RNOT-SERVERS.NET ROGT-SERVERS.NET ROKT-SERVERS.NET

ROMT-SERVERS.NET RONT-SERVERS.NET ROO4-SERVERS.NET ROOP-SERVERS.NET ROOT-3ERVERS.NET

ROOT-QERVERS.NET ROOT-RERVERS.NET ROOT-SARVERS.NET ROOT-SDRVERS.NET ROOT-SE2VERS.NET

ROOT-SEBVERS.NET ROOT-SEPVERS.NET ROOT-SER6ERS.NET ROOT-SERFERS.NET ROOT-SERRERS.NET

ROOT-SERTERS.NET ROOT-SERVARS.NET ROOT-SERVDRS.NET ROOT-SERVE2S.NET ROOT-SERVEBS.NET

ROOT-SERVEPS.NET ROOT-SERVER3.NET ROOT-SERVERC.NET ROOT-SERVERQ.NET ROOT-SERVERR.NET

ROOT-SERVERW.NET ROOT-SERVEVS.NET ROOT-SERVEZS.NET ROOT-SERVGRS.NET ROOT-SERVMRS.NET

ROOT-SERVURS.NET ROOT-SERWERS.NET ROOT-SESVERS.NET ROOT-SEVVERS.NET ROOT-SEZVERS.NET

ROOT-SGRVERS.NET ROOT-SMRVERS.NET ROOT-WERVERS.NET ROOTMSERVERS.NET ROOU-SERVERS.NET

ROOV-SERVERS.NET

My Registered Domains

ETLD-SERVERS.NET FTLD-SERVERS.NET G4LD-SERVERS.NET GDLD-SERVERS.NET GPLD-SERVERS.NET

GTDD-SERVERS.NET GTHD-SERVERS.NET GTLD-3ERVERS.NET GTLD-CERVERS.NET GTLD-QERVERS.NET

GTLD-RERVERS.NET GTLD-SARVERS.NET GTLD-SDRVERS.NET GTLD-SE2VERS.NET GTLD-SEBVERS.NET

GTLD-SEPVERS.NET GTLD-SER6ERS.NET GTLD-SERFERS.NET GTLD-SERRERS.NET GTLD-SERTERS.NET

GTLD-SERVARS.NET GTLD-SERVDRS.NET GTLD-SERVE2S.NET GTLD-SERVEBS.NET GTLD-SERVEPS.NET

GTLD-SERVER3.NET GTLD-SERVERC.NET GTLD-SERVERQ.NET GTLD-SERVERR.NET GTLD-SERVERW.NET

GTLD-SERVESS.NET GTLD-SERVEVS.NET GTLD-SERVEZS.NET GTLD-SERVGRS.NET GTLD-SERVMRS.NET

GTLD-SERVURS.NET GTLD-SERWERS.NET GTLD-SESVERS.NET GTLD-SEVVERS.NET GTLD-SEZVERS.NET

GTLD-SGRVERS.NET GTLD-SMRVERS.NET GTLD-SURVERS.NET GTLD-WERVERS.NET GTLDMSERVERS.NET

GTLE-SERVERS.NET GTLF-SERVERS.NET GTLL-SERVERS.NET GTLT-SERVERS.NET GTMD-SERVERS.NET

GTND-SERVERS.NET GULD-SERVERS.NET GVLD-SERVERS.NET WTLD-SERVERS.NET

RKOT-SERVERS.NET RMOT-SERVERS.NET RNOT-SERVERS.NET ROGT-SERVERS.NET ROKT-SERVERS.NET

ROMT-SERVERS.NET RONT-SERVERS.NET ROO4-SERVERS.NET ROOP-SERVERS.NET ROOT-3ERVERS.NET

ROOT-QERVERS.NET ROOT-RERVERS.NET ROOT-SARVERS.NET ROOT-SDRVERS.NET ROOT-SE2VERS.NET

ROOT-SEBVERS.NET ROOT-SEPVERS.NET ROOT-SER6ERS.NET ROOT-SERFERS.NET ROOT-SERRERS.NET

ROOT-SERTERS.NET ROOT-SERVARS.NET ROOT-SERVDRS.NET ROOT-SERVE2S.NET ROOT-SERVEBS.NET

ROOT-SERVEPS.NET ROOT-SERVER3.NET ROOT-SERVERC.NET ROOT-SERVERQ.NET ROOT-SERVERR.NET

ROOT-SERVERW.NET ROOT-SERVEVS.NET ROOT-SERVEZS.NET ROOT-SERVGRS.NET ROOT-SERVMRS.NET

ROOT-SERVURS.NET ROOT-SERWERS.NET ROOT-SESVERS.NET ROOT-SEVVERS.NET ROOT-SEZVERS.NET

ROOT-SGRVERS.NET ROOT-SMRVERS.NET ROOT-WERVERS.NET ROOTMSERVERS.NET ROOU-SERVERS.NET

ROOV-SERVERS.NET

GTLD-SERVERS.NET

ROOT-SERVERS.NET

How is my research different?

I only get hits from

errors in DNS servers.

My victims are resolvers, not

end users or single servers

Targeting DNS

infrastructure itself, not

single domains.

I can eventually control ALL

domains

I‟ll get fewer „hits‟ than

prior research.

But hits I get affect entire

organisations, not 1 user..

VICTIMS

Exploitation

1. Recursive DNS server experiences a bit

flip, thinks I am the ROOT (or GTLD)

2. WWW.ABC.COM expires in DNS cache

3. User Zero requests WWW.ABC.COM

4. Affected DNS server asks me for

WWW.ABC.COM

5. I can respond with whatever I want.

6. The affected DNS server will send my

response to User Zero and all future

users while the response is cached.

x 1000s, millions?

X

Approach

Listen to everything.

Only respond to requests asking for my domains

(e.g. a.root-3ervers.net)

Avoid Black Helicopters

My Infrastructure

Visio, I guess?

My Daemons

Initially

dlog.py: DNS Logger

Secondly

rt_dlog.py: Real Time dlog

devild.py: Homebrewed DNS server

Eventually

rt_dlog.py

BIND

A neutered devild.py (just logs)

Results?

Geographic Diversity of NS Hits

USA and China: They be busy.

Major Event #1: An ISP/SSL CA

Country: Denmark

Organisation: TDC

Days Affected: 6

Hosts Affected: 1

Number of hits: 49,802

Interesting Hits

crlmaster

_nfsv4idmapdomain

183.101.17.172.in-addr.arpa.

Major Event #2: Some .US ISPs

Country: USA

Organisation: Los Nettos, OCR

Days Affected: 25

Hosts Affected: 6

Number of hits: 334,205

Interesting Hits

wpad

www.update.microsoft.com

teredo.ipv6.microsoft.com

Major Event #3: Massey Uni, NZ

Country: New Zealand

Organisation: Massey Uni

Days Affected: 4

Hosts Affected: 1

Number of hits: 328,304

Interesting Hits

isatap.[lots - telecom, Orcon, localdomain]

alb-cache.massey.ac.nz:8080

_ldap._tcp.dc._msdcs.MASSEY.

Major Event #4: Cingular

Country: USA

Organisation: Cingular

Days Affected: 30

Hosts Affected: 1

Number of hits: 536,061

Interesting Hits

svr-kaseyanew.copcp.local

wpad.conus.ds.dcma.mil

imap.us.army.mil

Major Event #5: Globe Networks

Country: Philippines

Organisation: Globe Networks

Days Affected: Varies

Hosts Affected: 27 over a year

Number of hits: 5,924,079

Interesting Hits

keys.wdf.sap.corp (lots of other *.sap.corp requests)

monroe.army.mil, dobbins.mil, blab.afcent.af.mil

localhost.local, localhost.localdomain

mail.ru&password=1q2w3e4r

But.. but.. DNSSEC stops MiTM?!

DNSSEC only helps if the right question is being asked.

DNSSEC Trust Anchors prevent some MITM.

DNS servers operate in EDNS fall-back mode.

i. A? google.com (EDNS, with DNSSEC)

ii. A? google.com (Smaller EDNS packet, with DNSSEC)

iii. A? google.com (No EDNS, therefore no DNSSEC)

So, no, it won‟t save ya.

What Pwned All Datas?

Oddy did!

At Kiwicon I, Beau Butler

talked about WPAD.

He owned wpad.co.nz – and received a

lot of traffic from confused desktops

looking for a proxy.

MS Fixed the recursion issue – but

root-servers still see WPAD requests.

Most Common Debombinators

Lots of noise - not entirely accurate.

39% of domains never saw a legit request.

What I Could Have Done

MITM‟d lots of people, routing all traffic to real destination

Eon‟s MiTMinator

Accepts connection

Sends no data back

Times out

When the client retries, DNS record has expired. Resolver fetches

new, legit DNS record – client connects to real server, assumes

“glitch in the matrix” (maybe)

Would have required heaps of bandwidth. Also black helicopters.

Solutions?

Well, no.

Mitigations, perhaps

EVERYONE SHOULD USE ECC RAM.

Organisations that run ccTLDs or other TLDs should be

registering flips of their names, and their NSes.

They should also be looking out for other TLDs that are

similar (hint: .tk -> .uk)

Next Steps

Domains going to good homes:

ICANN (Org in charge of ROOT-SERVERS)

Verisign (Org in charge of GTLD-SERVERS)

Still discussing when this will happen, I want to receive a

feed of metadata about future flips. Will hold on to the

domains until this happens.

Try This At Home

Artem‟s bitsquat.py

Urban‟s URLCrazy

Find bit-flips of your favourite domains.

End Of Line

BTW, we‟re hiring! Talk to me!

Big thanks go out to:

Eon

#sa

narc0sis

ConBus Drivers Kerry & Sham

DNC & NZRS (esp. Sebastian Castro)

.. and of course, the Kiwicon crue!