Friday, January 30, 2009

Beyond DNS-rebinding

I've been spending a lot of time this month following and contemplating the material out there about DNS-rebinding and the assumptions made in how we browse the web. There's some really great content from rsnake and Kaminsky.

I've been working on a new FUSE powered distributed filesystem that would work as an XSS payload. Think of it this way: instead of stashing your loot on your server or somebody else's--just continuely juggle it between a few servers that allow for a little bit of public control. Say you had access to a couple of XSS-vulnerable servers. After a little bit of AJAX injected into the sites, as long as there is a catalyst (browser hitting one of the vulnerable sites), you can maintain a basic filesystem. Even if it isn't a stored XSS vulnerability, you can still constantly refresh the pages to keep the files "stored." It works for DRAM, why not for this?

So how might we accomplish this? We could use the arbitrary TCP traffic mechanisms referenced in Kaminsky's presentation above, but that would require flash with the javascript. But is there an easier way? Remember Kaminsky's extensive work on DNS tunneling? We could just use AJAX to trigger the DNS requests and then we can stash our files in DNS just like the DNS tunnel techniques.

Ok, so we could control DNS requests and based on timing of the responses we could effectively "save" data. What other possibilities do we have? Some of the rebinding techniques are useful because the Same Origin Policy let's two sites that are considered part of the same domain to share resources. Why bother with DNS? We have a great tool we can leverage to accomplish the same thing: TinyURL.

So I will be writing this up today to submit the BlackHat CFP, and hopefully find time to code it somewhere between all of the Events I'll be teaching/presenting at. Any thoughts or tips from any of you that might have been playing with this lately?

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home