вторник, 2 июля 2013 г.

Insecure DNS records in top web projects

Last month ONsec_lab had discovered and reported about the same DNS issue in top web projects: live.com, facebook.com, yahoo.com, nokia.com, paypal.com, baidu.com, att.com and many others.

DNS linked few *.COMPANY.com domains to IP which doesn't belong to 

These addressed from Private Address Space 10/8, 172.16/12, 192.168/16 (look at http://tools.ietf.org/html/rfc1918, https://en.wikipedia.org/wiki/IPv4) and localhost

Basically, this may be interpreted as information leakage from intranet of COMPANY. But it's obvious :)

This server-side issue can be exploited as a client-side vulnerability when attacker and victim are in the same private network:

I.e. local.COMPANY.com have A-record to

1. Attacker connects to any public network with address space from or other which linked to any local.COMPANY.com domain.
2. Attacker adds to network interface on his computer address from A-record which linked to private address
3. Attacker publishes on any resource link to local.COMPANY.com (for example - banner on any news-site). Like as classic CSRF/reflected XSS attack.
4. All users, who connected to the same network (1) and see banner (3) will make request to http://local.COMPANY.com, which actually will be made to computer of attacker. Browser will  send cookies for *.COMPAMY.com in this request, because user make request to local.live.com. 

In this case malicious user steal cookies.

What about protection? 

Simple way is protect session cookies by Secure flag. This is facebook way. But anyway attacker can steal others non-Secure cookies. Also attacker in this case can do logout attack, because browsers have only 4Kb memory for all cookies which stored at all *.COMPANY.com domains. For this reason attacker can set many new cookies from local.COMPANY.com to delete all cookies from *.COMPANY.com and COMPANY.com scope.

Some examples:

./ccbill.com: backend.ccbill.com
./ccbill.com: internal.ccbill.com

./facebook.com: atlas.facebook.com
./facebook.com: hr.facebook.com
./facebook.com: lists.facebook.com
./facebook.com: ntp.facebook.com
./facebook.com: ntp.facebook.com
./facebook.com: sb.facebook.com
./facebook.com: time.facebook.com
./facebook.com: time.facebook.com
./facebook.com: xmail.facebook.com

./live.com: monitoring.live.com

./nokia.txt: guest.nokia.com
./nokia.txt: linux.nokia.com

./paypal.com: mx.paypal.com

./yahoo.com: i.yahoo.com
./yahoo.com: na.yahoo.com

./baidu.com: accounts.baidu.com
./baidu.com: ba.baidu.com
./baidu.com: bd.baidu.com
./baidu.com: bh.baidu.com
./baidu.com: bh.baidu.com
./baidu.com: bh.baidu.com
./baidu.com: bi.baidu.com
./baidu.com: bugs.baidu.com
./baidu.com: cd.baidu.com
./baidu.com: cdn.baidu.com
./baidu.com: cms.baidu.com
./baidu.com: com.baidu.com
./baidu.com: crm.baidu.com
./baidu.com: crm.baidu.com
./baidu.com: ct.baidu.com
./baidu.com: dc.baidu.com
./baidu.com: def.baidu.com
./baidu.com: dt.baidu.com
./baidu.com: ecom.baidu.com
./baidu.com: erp.baidu.com
./baidu.com: flow.baidu.com
./baidu.com: fw.baidu.com
./baidu.com: ga.baidu.com
./baidu.com: global.baidu.com
./baidu.com: global.baidu.com
./baidu.com: gw1.baidu.com
./baidu.com: h.baidu.com
./baidu.com: iq.baidu.com
./baidu.com: it.baidu.com
./baidu.com: km.baidu.com
./baidu.com: kr.baidu.com
./baidu.com: launch.baidu.com
./baidu.com: live.baidu.com
./baidu.com: live.baidu.com
./baidu.com: log.baidu.com
./baidu.com: log.baidu.com
./baidu.com: log02.baidu.com
./baidu.com: mirror.baidu.com
./baidu.com: ml.baidu.com
./baidu.com: monitor.baidu.com
./baidu.com: nl.baidu.com
./baidu.com: o.baidu.com
./baidu.com: ocean.baidu.com
./baidu.com: openview.baidu.com
./baidu.com: pe.baidu.com
./baidu.com: portal.baidu.com
./baidu.com: r2.baidu.com
./baidu.com: ra.baidu.com
./baidu.com: se.baidu.com
./baidu.com: security.baidu.com
./baidu.com: serv.baidu.com
./baidu.com: sms.baidu.com
./baidu.com: speed.baidu.com
./baidu.com: ssl.baidu.com
./baidu.com: tiger.baidu.com
./baidu.com: tn.baidu.com
./baidu.com: tool.baidu.com
./baidu.com: tools.baidu.com
./baidu.com: training.baidu.com
./baidu.com: ut.baidu.com
./baidu.com: va.baidu.com
./baidu.com: web.baidu.com
./baidu.com: win.baidu.com
./baidu.com: work.baidu.com
./baidu.com: ws.baidu.com

Комментариев нет:

Отправить комментарий