 Alright guys, I got 40 minutes to do what was an 80 minute talk, so we're gonna skip over a bunch of stuff here I am getting time sweet Yeah, get me a note with the exact end time put it on stage. Thanks So what who am I some guy I do code? Who are these guys other awesome people, but I do want to say this I would a theory that this was a patch that could not be reverse engineered because it was really weird It was reverse engineered in 51 hours so much for that theory So we had a bunch of people who are involved. These are the guys who did it This is why yeah, I just took a lot of crap over the last month over the last couple months Whatever I got a hundred and twenty million broadband customers that are fixed. I'd do it again. I'd do it twice Fortune 500 is even doing okay So there are pictures of who's patched. They're pretty cool Why all this work? So who here does not know what DNS is? You might have heard a little while. Okay Long story short. It is the phone book for the internet The internet does not work on names anymore than the telephone network does you have to put a number in for any name It is a distributed system Which means it's like voicemail hell where you keep getting bounced from one system to another you start off on the root servers You ask them for www.food.com system says I don't know But why don't you ask this guy over here and then you go to the comm service and say hey Do you know what? www.food.com is and they also say I don't know but why don't you ask this guy over here You do this over and over and over again to your finally out of voicemail hell And you finally actually get what you're looking for this is called recursion and it is a pain in the ass Therefore we dedicate recursion to a set of servers called name servers like bind or dj bdns or so on Where your host is just a client or a stub resolver So what about the bad guys if everything depends on receiving the right number for the right name Wouldn't a bad guy want his number return instead you try to go to yahoo you get a bad guys number you try to go to Google you get a bad guys number you try to go to your bank you get a bad guys number actually that sounds pretty damn cool so Here's the question So you know when the name server assay ns1.food.com for www food.com couldn't the bad guy reply first Couldn't he like just have his answer accepted? Oh, totally the the way around this is called a transaction ID It is a random number between zero to sixty five thousand that allows the response from the legitimate good guy The real ns1.food.com to be separated Disambiguated from the bad guys fake reply for www food.com So it's not perfect, but you know the good guys got an advantage like sixty five thousand five hundred thirty six to one Those are some pretty long odds and even better when the good guy wins Well, he can say how long he wins for is this named to number mapping gonna last a minute an hour a day You know one day times sixty five thousand races divided by two That's like eighty four years for the bad guy to actually win. That's a long time, right? So this was the entire concept of this draft forgery resilience And it basically said make your TTL as long as possible. This entire draft is a dare to the DEF CON community Here's the problem first if this is to be a race Between who can reply with the correct random number first the bad guy has the starter pistol Look the good guy has to wait for the correct transaction ID to go over the river and through the woods to actually Provide the good guy with hey when you reply use number eight three one two Yeah, the bad guy doesn't need to wait. He doesn't know but he can just be like hey you go go look up W Don't food calm. Did you use transaction ID one how about two maybe three? So the bad guy can always reply first. He may not have the right transaction ID, but he's getting there first Second problem by the way first problem was kind of known So the second problem who said the bad guy can only reply once the winner of the race is the first person to show Up with the correct number nowhere to say the bad guy can't try lots and lots of random numbers So if he can try a hundred numbers the odds go from 65 thousand five hundred thirty six to one two six hundred fifty five to one which are still long odds And when he loses he has to wait for the TTL that could be like six hundred fifty five days almost two years or not Look TTL is not a security feature It's what I said in my talk last year if the bad guy asked the names to ever look up WWW food calm ten times. There's only going to be one race with the good guy It's gonna be like the first race will happen WWW food calm will be looked up the other nine times the lookup is spawned That's just coming out of the cash. That's just being remembered Ah, but there are other names besides just WWW food calm. Well, at least we can pretend there are didn't say what about what? food calm do dot food calm three dot food calm the TTL that race timing limitation Only works on a entire name not on different subdomains. So You can just repeatedly cause lookups for one two three four five and You may have only a one out of six hundred fifty five chance of winning. Okay, so you try six hundred fifty five names and you win There's a problem You are now the proud spoofer of eighty three dot food calm, but you wanted WWW dot food calm. Is there a way to get from eighty three to WWW? totally Look, here's what you do, right? You've got eighty three dot food calm. You wanted to steal WWW dot com as the bad guy You've got three possible responses When your transaction ID is accepted Whatever you have in your message is actually gonna be looked up. They're gonna open up the envelope and parse what you had to say and the three things you could say were Hey, I got the transaction ID, right? And here's your answer for eighty three food calm and six six six six well six six six six And that could work. There's I don't know the answer for eighty three dot food calm or the fun one Eighty three dot food calm. I don't know, but why don't you ask? WWW dot food calm and here's its address This has to work because it's how you got to NS one dot food calm in the first place You went from root to calm you go from calm to NS one dot food calm You go from NS one dot food calm as far as you know to WWW dot food calm You're basically using the other half of DNS to attack Target names So I wrote this tool called DNS rake named after a common method for lockpicking Sends a query to a name server for random dot food calm the bad guy has a starter pistol It sends 200 fake replies to the name server with transaction ID from zero to 200 the bad guy can apply multiple times and Each of those replies contain name server redirections to WWW dot food calm in technical terms That's random. WWW food calm in NS WWW food calm WWW food calm in a six six six six it probably won't work. Oh well try again So these are the packets it looks like This is the actual execution trace. Sorry. I don't have time to leave it on. This is what happens when you actually run it Now this works against pretty much everything in wide deployment bind 8 bind 9 MS DNS Nominum, which is used in most of the ISPs Does not necessarily work against the rest of the name servers out there, but they're just not really out there So does that count? The most commonly offered defense our DNS servers are super secure They do not accept queries from the outside world. They must be safe Well, can someone on the inside look up WWW dot spare calm will an IP come back? That's 157 222 4520 if so you might have a problem So look we have this thing that you've got to realize the attack works Partially because of what are called bailiwix Root servers can return any name. They want and that name will be trusted Calm servers can return any name. They want and that name will be trusted as long as it ends in calm Food calm can return any record for food calm now It wasn't always this way this guy Eugene cash Paul was like hey I could totally stick extra records in any reply So when you look up Eugene cash prep calm I can create a new TLD and just say by the way Have you heard of I don't know dot cash Yeah, so he got extradited from Canada and put in federal penitentiary. So don't do that But the bailiwick system was invented to deal with his issues 1997 was the last time we had a DNS bug not a random bug There's some awesome bugs have happened over the last 10 years, but 1997 was the last time we had a DNS bug this bad Because in 2002 with the birthday attacks that everyone thinks I was talking about presumptuous You couldn't override entries that were already in the cash So if you lost the race you couldn't just try over and over again 2007 to me client TN transaction ID prediction still could not overwrite the cash Although a meat doesn't get as much credit as he deserves so If that was what behaved with in bailiwick stuff Does that mean you may not make a referral either to a foreign name server or whatever that is out of your bailiwick No, you totally can because that was just how DNS work before cash broke broke everything So what they did was they said if we're told at food.com to go look up something in bar.com We won't reject it But we will start from scratch and we will go to the root and go to calm and go to calm and find the actual bar Dot com server and we will make our way Back such that food.com can have a referral to bar.com, but we actually know the real bar.com IP That means whenever someone looks up food.com the food.com server can force an immediate look up to bar.com It happens instantaneously. The bad guy has the starter pistol So what you do as the attacker is not cause random things inside behind the firewall to look up food.com Because then you have a huge timing issue. You have to know exactly what it happens Excuse me. You don't make them look up bar.com target.com whatever you're trying to hit because that gives you a timing issue What you do is you have the internal guys look up food.com and whenever they come to you for food.com names or bad guy.com names Excuse me when they come to you for bad guy.com When the Internal name server comes to you for bad guy.com names You send a C name referral to targets in your target domain and this works very well Now how do you make the internal look-ups happen? Oh, let me count the ways All right, the many starter pistols a mr. Bad guy got a web browser Don't you web browsers will look do a DNS look up every time you look at him funny And he link any image and he add anything will cause a DNS look up. You don't even need JavaScript though. It helps Mail servers anyone here work somewhere where they get email from the internet. Oh Come on Yeah, uh-huh that yeah, you know what's coming. So look you even Sniff in the general direction of a mail server on the internet and it is going to do a DNS look up You say hello DNS look up literally You tell it who you are it goes. I want to know more information DNS Can you tell me on spam check? Maybe you're a spammer? Let's go ahead and look in the spammer DNS server What could possibly go wrong? When trying to deliver a bounce when trying to send a newsletter does any if anyone here has lyrus the Major email server at their site. You might want to tell them by the way, please fix your insurance Who puts a custom name server in a mail server and doesn't tell anybody? Oh, yeah, and you know sometimes when you mail a company a human being replies to you and When they do they got to figure out where to deliver the mail Web log resolution is fun. Who here runs a web server? You know who here's ever looked at their web logs? Yeah, yeah, so when it goes in takes those IP addresses and turns them into names That's DNS look ups under attack or control Web bugs and documents, you know Calling home is not just for privacy violation anymore. I know there's lots of things in web 2. Oh IDS's are fun. You just make an IDS think you're an attacker and it wants to investigate you and thus do a DNS look up Roy a rent trick was great So you'd get a query from a Microsoft name server and reply with another query Be like it asks you a question you go. No, no, no, I got a question for you and it would totally go look it up Like on the port said a DNS quest on my port 58219 what? You can spoof internal IPs from the outside network This has no right to work, but a whole bunch of people have crappy router ACLs and think that firewalls wrong So what did we do? Look we went ahead and we said look we got an odds right now of one out of sixty five thousand We got our increase that we got increased that to between one out of a hundred sixty three million to one out of I say two Billion actually technically one out of four billion. This is an improvement That's a lot of traffic to go unnoticed. It is not necessarily too much traffic. Mr. Russian physicist. We know Yes, I will totally take an attack That takes two billion packets over one that works in 32,000 somehow I think it's a little easier to defend against one versus the other Now people are saying but I have this perfect idea perfect solution. Oh is wrong Look there are so many variants of this attack I do not know how we got to 2008 with nobody knowing how this how to actually exploit this thing You have C names D names extra glue You have all the things that make the authoritative servers not reply like this power DNS bug You go ahead and you look up an unnamed query type as opposed, you know a or ns or C name There's lots of different record types and DNS if you look up one that does not exist The power DNS authoritative server just doesn't reply. There's another way back to one out of sixty five thousand land and Other methods anything that causes the cash to clear anytime you have naturally low TTL records anytime I don't know you can make a name server not reply because you flooded it with a tax and decided no I'll go give my firewall rules out to the outside world Anytime how about you just pollute subdomains that worked at the Torcon talk There's so many variations. The whole game was this look either We do point fixes meaning we try to fix this we try to fix this if we try to fix this and when we screw up We're back to thirty two thousand packets to misery Or we have a generic sledgehammer fix that applies a minimum level of security to vulnerabilities We don't even know about also known as the djb solution djb was totally totally right even in all of his latest complaints. We actually completely agree. He's like Dude guys, this was 99. We need real crypto. Yes, we do But if we had showed up back we had this big secret summit back at Microsoft in March If we had actually done that and said like big DNS bug our solution is DNS sec That's right One happy guy in Glee and the rest of you looking in horror I'm not saying DNS sec is not necessarily the right long-term solution But it's sure not the right short-term solution So there's gonna be a ton of solutions offered, you know People are gonna talk about lots and lots of things and we've broken most of them But look, I will tell you this all the things that are you know, we'll do a little We'll get this name server online in this name server online Unless the root servers and the comm servers in fact all the TLDs are either backwards Compatible or code migrated to your solution It doesn't matter because I don't care how secure ns1.food.com is if I can pop a GTLD servers net because what do you think told me to use ns1.food.com in the first place? So I've got a blog entry in my home page Wwduxbear.com that just talks about all the other things the long and short of it is we figured out Everything else was broken in at least some way We'll figure it out that we're gonna need to fight through this for like some period of time And in the meantime, let's not have a 32,000 packets of doom So there is some stuff from the client I don't want to go too much in depth on it because I've got all sorts of fun server attacks But I do want to say this There was some research a while ago about predicting that the transaction ID in the client given ID 1 given ID 2 You could determine ID 3 and everyone said that's nice If you're ever in a position to learn ID 1 you don't need to predict ID 2 You know ID 1 you can reply first. So this bug is BS Why did Microsoft fix it in April in the April MSRC patch? That was ridiculous No, it was the right thing to do and here's why For you to spoof a response from a DNS client to a DNS client talking to his local name server You have to get two things right the UDP source port and you have to get bright the transaction ID How do you know source port? Well, when you make a HDB connection to someone Before April MSRC that connection would say go out on source port 10000 and you know what what port the next DNS request would happen on 10000 one. Oh, so that's pretty easy. But what about the actual transaction ID? You can't treat DNS in isolation because everything uses it So when a DNS reply happens You get two things you get a HDB request going out When immediately where wherever the bad guy says it is Hang on Freeze. There's a tree So apparently I get to totally relax All right So this apparently means that I get more time than I had at black hat, which means I get to have a whole bunch more fun Where was I? Oh, yeah, it turns out other protocols use DNS and When DNS is done other protocols do things Immediately to DNS controlled locations So what that means is if you guess the right transaction ID by I don't know setting 65,000 packets to a DNS client You are able to control when you guess correctly You will get a packet time And when you guess correctly the HTTP query will go to the crew a destination that you set where These are not huge signals. However, all we want is 16 bits for a transaction ID 16 bits. I can leak 16 bits. Here's how we're gonna do it Client is gonna go to a website controlled by the bad guy Client is gonna say, oh, I need to look up bad guy calm against the local name server Local name server is gonna work its way throughout the internet. It's gonna find the name server of the bad guy and The bad guy is not gonna reply to the local name server. It's just gonna sit there So local name servers waiting and waiting waiting for reply. They can't do anything So client is just gonna sit there waiting waiting waiting for reply to and they're just gonna sit there Open port open transaction ID just waiting Now the bad guy does something but doesn't send any packets to the local name server bad guy sends packets directly to the client Knows what port to use because it leaked through HTTP doesn't know what transaction ID to use So he tries them all on average in 32,000 packets. He will guess the correct transaction ID If he doesn't guess in time, oh well, but he eventually will guess correctly Now there's a couple signals here Timing when the hdb connection arrives because that's what happens when you finish a DNS reply to a web browser You get an hdb connection Now if you have a say a three second window and can dips and make you wait time by about 100 millisecond chunks You get about five maybe six bits of data, but you can try over and over and over again Also, when you spoof that reply beyond just timing information you control the location that the web browser is going to go to So if you have 256 addresses, you can basically say You know at 1.3 seconds my 130th of my IP addresses went ahead and got a packet That actually gives you quite a few more bits if you happen to have a class B If I had a class B, you know, but if you happen to have a class B, you don't even need timing data It just works now if you have IPv6, you know, this is really really easy, but real world so You know, there are totally other hosts out there could we return IP addresses of hosts we don't have We don't own and use the web browser to somehow basically borrow the other hosts for our scanning purposes and Who here remembers idle scanning? Check it out idle scanning is all about you find 64,000 boxes on the internet that never get traffic But when they do you can tell because their IP IDs change on return packets So you go ahead and you cause some local some client to send a packet to one of 65,000 servers Then you go to all 65,000 servers and say was it you was it you was it you was Eventually it would theoretically work Idle scanning worked really well when it was figured out now. There's all these bastards scanning the internet screwing up idle scanning Sorry Then I was looking at pointer pollution, you know, oh when an IP address can communicate somewhere They'll be like a reverse DNS lookup. That wasn't reliable at all Anyone here ever gone to a talk with Billy Hoffman? Billy does bad things to JavaScript and At some point I just needed to do the Billy Hoffman option So here's the idea. I would return one of 64,000 web browsers one of 64,000 web servers to the client I Wouldn't know which one the client would get but whoever it got would be under a domain I controlled meaning I could read back from the web browser. Hey, which page did you get? That actually works fine, and you can do that either directly with content or by looking at what happens to document cookie So basically I'm using JavaScript to eventually pick out DNS transaction IDs What could possibly go wrong? Of course, it's way easier with my attack. Basically. You don't even try to guess the next transaction ID Just force repeated lookups her name fill in whatever answer you want And this is actually the exact attack implemented in the field ho dns spoof dot see from Psycho pod at yahoo.com. I don't know if ZMDA is this group name, but good job Initiate sequence trigger DNS lookup by the ADS resolvers have the same rage of spoof DNS ID isn't a constant flood spoof Does the primary DNS server so not theoretical? Psycho pot totally did it this was about Three or four days. Let's see. Was it the 25th 26th of July somewhere around there good stuff DNS clients have never been the focus of this work though because it attacks one box Would you rather attacks one or you know everyone so we've been focusing on server? Is that it? No, you know, that's that's that's how to attack DNS But that's not the interesting question the interesting question is why to attack DNS Because this this is where things get embarrassing because wow Wow, we've been doing a lot of crappy things on the internet for a long time So check it out Let's start with the TLDs. It is in fact possible. Yeah, you start with poisoning the TLDs. That's right Yeah, don't don't bother with poisoning food.com or Google or yahoo or whatever just poison everything Directly you can poison it by changing the NS record off of calm Indirectly just poison a gtld servers on that beachy tld servers on that CGTLD servers on that and so on now when the bad guy Poisons calm gets all requests even request that he didn't know in advance that he wanted because remember when you go to the route You don't just ask. What's the next com server say? I'm looking for www.food.com So when you poison higher in the DNS hierarchy the name server comes to you and says hello Would you like download dot Microsoft com? Would you like it for ten days? Would you like it for ten hours? Would you like to only take Microsoft? Would you like to take only the specific name at Microsoft? You basically get complete control. You actually get asked What you want to poison and for how long you would like it be poisoned for? crap The obvious first step to do from here is MX intercept MX intercepts not just for the NSA anymore Mail is special its special little point that it has its own DNS record it has an MX record you can tell not only does someone want to speak to food.com They want to send an email the attacker can actually pick off which Name sir which males it wants to take and which ones it doesn't can silently intercept then let the mail run off to its own destination or Can interfere here's where we get into real world how things get popped Okay, about a third of all attacks come from direct user action Loading a document downloading and installing malware The game is to get compliance from the user to assist in executing the attack and since users want to see Dancing pigs. This is not necessarily that hard But even your best user even your most trained user even user who doesn't want to see dancing pigs still needs to get work done And work is done by exchanging documents and exchanging executables and exchanging zip files over email So if you're a man in the middle and you see a document going by you don't interfere with it Or you don't block it. You don't even just read it. You infect the document and roots When it arrives users like well, I was just having a conversation with Bob and here's the contract that will get me a bonus this year open open open Shouldn't the spam filter stop when the man in the middle does intercept? It is in fact true that the actual inner the actual manipulation is now going to come from the IP address of The bad guy and not necessarily the IP address of the real names mail server Now you might say but the spam filter will catch this. How do the spam filters work? Someone just said poorly that guy gets a beer So Yeah, you end up being able to hijack spam filters You can actually go ahead and like block mail from arbitrary domains now great is that so I'm not going to go fully into the voice over IP stuff, but It's it being looking too good either sip ends up using SRV records out of DNS And it looks like the invite and register messages can even get you say hello, mr. Phone over there. Please go ahead and look up this name starter pistol Zane like he's been looking into this So beyond just mail beyond just zip. Yes, the web is a little bit hosed You can directly poison all websites through the calm through calm and that will work great But it will only let you replace content. What if you wanted to be able to read it back? What if you wanted to not just make a user think? Oh, it's fake gmail calm What if you wanted the user go to real gmail calm But by the way, there are some extra little script that was running in that execution context Well, you could target the static files that are loaded by any complex web app You load a script file you win you load CSS like just making an CSS has a method called expression and expression will run JavaScript So all you do is poison the server specifically targeting CSS and you win there, too If you wanted to do this to everyone and not just one particular site We have these nice things ad servers analytical servers that are run through script source If you have script source poison DNS name with HTTP That one poison is going to hit the entire web now. I know you're thinking SSL will save us However, I'd like to point out Did you guys know the internet is more than just the web like more things use htb than just web browsers? Welcome to the third age of hacking The first age of hacking you wanted to get look all security is what are you parsing and who are you parsing it for? Servers were the source of anonymous parsing for most of computer security You wanted to pop a box you came in over FTP you came in over telnet mail web a freaking time would let you in These were the things that consume bytes from a bad guy. What are you parsing crap? Who are you parsing it for the bad guy was the server? So these were the things that got locked down We got a little better with servers So now and not all Now everyone's focusing on client-side attacks through the web browser because ultimately you can totally lure people To you and when they are lured they go ahead and they take attack or control bytes and give it to JavaScript active X Java image formats Dom's there's so much Complexity reachable through the web server so we've been spending the last couple of years finding client-side attacks and Finding them actually out in the field on porn sides on gambling sides, etc now The browser age is not over Oh, you know you can totally have multiple bugs going on at the same time and indeed these DNS issues Really affect the browser if nothing else all these active X controls that are site locked to only work on a particular domain If that domain is htb colon slash slash broken But this is now the third age and the third age involves everything else This is a desktop on the internet cafe near my home That is real there. You probably can't see all the icons But here we have flash fxp and Skype and icq and quick time and SSH secure file transfer Yahoo messenger and logitech quick cam Which probably has an auto-updater and out of where se personal which definitely has an auto-updater And iTunes and aim and Golden Casino and internet frickin checkers. I Think we may have some new attack surface to play with Who here remembers the vulnerability in sidebar last year? last year Vista came out and Whenever last year me was here before well, whatever sidebar got looked at finally Someone noticed huh these downloads RSS feeds from the internet when it downloads those RSS feeds from the internet By the way, they can totally contain code to run But we didn't see widespread exploitation Because the code was retreat from a fixed address that the bad guy could not change and the bad guy could not control But with DNS you can this is a general theme that you can take Communications that were once secure and migrate them or if not secure you can take communications that would once Always go to a non attack or control destination and you can totally take it over So sidebar is not special in this regard browsers are really really good playing code I may very well be the first person in computer security to have ever said that But it's relative browsers have been getting their ass kicked for ten years AOL instant messenger not so much There's look What do you guys think happens when you fuzz randomly corrupt data into? We clients well my buddy illy advanced bundle went ahead and did that and all he did was feed random data To IRC clients and with one tiny little fuzzer. He broke bitch XM IRC X chat KV IRC a drop epic ninja Emac BRC IRC turbo IRC it was just a catastrophe because clients are written like crap When they don't have to deal with malicious servers well most clients that have ever been written have not had to deal with malicious servers IRC clients have apparently gotten better after this fuzzing effort, but there's a lot of other stuff that people are running games How's the actual gaming next overlooked security whole talk actually happened? Did who are you actually went to it? Okay, listen that guy totally totally insanely right Game developers have time to do many many things Right secure code that can deal with crappy servers is just not one of them or at least hadn't been because it wasn't a ship requirement We're gonna have to get a little better here Now let's get past this slide Who needs an exploit even Anyone here about evil grade Francisco Amato stunt Okay, you don't need a buffer overflow. You don't need some crazy ninja stuff Bunch of clients will just come to you and say hey you got any code for me. I need a new version You're the bad guy guy. I totally got a new version for you We knew this was broken. I Didn't realize anyone big was still screwing this up in 2008. So Sun's got Java and open office Apple with a Mac OS apparently Winsip win amp itunes LinkedIn we knew about LinkedIn. I actually turns out if you send a mail to security at linkedin.com Someone's listening. I sent a mail. I got a call back in 20 minutes. Oh hi, Dan I bet you're calling about our toolbar Yes, among other things Props to LinkedIn they fix that pretty good. At least I think they did Auto upgrade is a pain in the ass You have to make sure the update package is signed and signed by you and Signed by you with the key that says I'm supposed to be able to sign code and sign from a signature That has not been revoked and be a signature on by the way the same product And also be a new version because if you release something insecure six months ago You don't want an auto upgrade back to the vulnerable version now. You could use SSL But people like oh my god performance. I can't do it so There's about one Update system that may actually pull this off windows update everything else is probably hosed Adobe might be okay at this point because they went through some headaches, but There been some talk about windows update as far as I know there's no actual justification behind it But yeah, those guys are pretty paranoid There is a paper called secure software updates disappointments and new challenges by a police mo burger some food It's pretty good paper if you're interested in subjects. I suggest you take a look Check this out. This comes out two days after I announced there's a problem in DNS Package managers as Achilles heels. It turns out all the Linux auto-updaters are really really broken and Someone said what keeps you up at night the thought of attacks on your package manager or Previously discussed and patched vulnerability in DNS What is this or you speak of what I can only use one bug at a time? DNS provides us with the man in the middle that can we can then use to break broken package managers There's no competition between bugs. In fact, if you take two awesome bugs and combine them you get totally awesome bugs People say but SSL SSL will save us All right, let's talk about SSL because this is The first big test of SSL has it stood up because of the strength of its crypto Or has it stood up because no one could be a man in the middle on it and thus just get around whatever protections it offered Let's find out for SSL to be effective. First of all, you must actually use it It works better if you plug it in and the web does not plug it in SSL is not just kind of the exception. It is barely Existent on the internet right now. How many executables will you personally download? Insecurely this week and remember attackers can pick and choose what domains to snipe So everything can be perfect right until you hit that download link from the one server that provides those downloadable executables and then you're going to the bad guy And do you think people stopped using FTP? I didn't FTP still all over the place There's foreshadowing there may not even go into it Second SSL you must never downgrade too bad downgrade is a fundamental way behind most of the way We use SSL on the web you go to a www.food.com and HTTP and the web server says up you totally should have come to me securely Here, let me upgrade you to security now. Everything is great. You know what the bad guy does not that oh and SSL errors by the way, I was just thinking I could tell you I know you wanted to have a secure link, but It's not secure at all. You still want to use this site Okay 41% say they totally ignore the error and use the site anyway Thus obviating any of the value from security. You might say but Dan 43% get all worried and leave the site and won't do with it. Yeah, that's what people say You know what people also do they lie a lot When you actually look at the data an Online bank in New Zealand had a certificate expire it just went down Like time ran out and you know what happened? 99.5% of users still entered their credentials that one guy who didn't is probably in the room right now Data suggests the DNS base attacker has a remarkably high chance of actually winning You Must actually check to see if the sake the certificate is signed by someone. Hey look guys I have a certain cure connection to the bad guy so I May be scanning the internet every once in a while all the time never stop, but I Took a look at some SSL data 327,467 SSL certificates were scanned and I just took a look and said I don't even want to see if the chain is valid. All I want to see is that they're even Pretending to be signed by someone else or they're just saying hi. I'm me. Why because I said so 140,355 SSL certificates because I say so that's not security They might say but Dan at least there's a browser error You know if legitimate use has a browser error. I think the user is always going to click through 100% of the time and Hey, what about the things that are not browsers? What about other applications? So I was going to talk about other applications and then hey Mike. Why don't you come up here? and then then I started hearing about someone who'd actually looked into real applications like SSL VPNs now everyone this is my ex-usman say hi Mike. Hi Mike Somebody here Somebody here Forgot to submit to DEF CON And I was like, yeah, I'll go speak at black hat, but oops. I forgot DEF CON So he's here now because his work is too damn good not to be here, but he's got a drink Cheers So, you know Mike a major other application are these SSL VPNs, right? Why yes Dan they are so So Mike why don't you take a couple seconds and tell us about how good SSL VPNs are at actually checking the certificate? I would be glad to and the answer is in general they are not Some of them have the ability to but usually it's an option that can be turned on turned off pretty willy-nilly What these and the reason for that is if you're a company you're an enterprise and you're evaluating an SSL VPN You're not going to go buy your own cert You're going to use a self-signed cert and you're going to test with it. Maybe once you actually get one in production Maybe hopefully you'll buy a real one and use it But I've seen cases where that just hasn't happened and these self-signed certs just remain in use in production but That's not even the the biggest problem with SSL VPNs just a little background on me I worked for a company called Whale Communications that made an SSL VPN got bought by Microsoft and I parted ways with Microsoft. I don't know about a year and a half ago Something like that. Anyway So what these SSL VPNs do these are web-based SSL VPNs They rely on active X objects to do everything So the first time you log into an SSL VPN you get a nice little active X installed You got to click through all your warnings and you get it on there and once it's on there Well, you don't get warned about anything anymore That active X object is used to upgrade other parts of the VPN client components and do little cool things like I don't know you know in interface with Winsock and reconfigure your network stack and Do lots of cool things like that But then the one feature that always bothered me about SSL VPNs and customer customers would say hey I actually worked in the support team and say hey, I'm configuring this application and When the user clicks on the link in the web portal I really just want the application to launch automatically for the user So so what do we have there? We have a web page that's telling a client to hey launch this arbitrary executable And it's all passed down from the server So what you have is a very interesting attack vector for repurposing of these active X objects Now you talk about site locking Saying an active X can only work with a specific domain Well, that doesn't work for SSL VPNs because everybody has their own domain name that can't be hard-coded You can't pass it down from the server because then an attacker can just spoof it anyway So that just doesn't work it can work if you What the Microsoft product actually did and I never saw any other? SSL VPN do this Could be out there. I just haven't seen it Is the first time the active X is actually invoked on the client? It'll prompt the user. It'll say hey This domain name is trying to use me. Do you want to let them use me and execute commands on your machine? The error message is actually or the warning message is actually very specific that it says I can execute commands on your machine So the user can then whitelist it for that domain only. So how do we get around that? DNS Exactly DNS well fortunately, we don't even really have to worry about that with most SSL VPN vendors So what I demoed at black hat was and I'm really not out I'm not here to slam a vendor because I actually had a very positive experience with this vendor and they were very appreciative of You know how I handled the situation, but a different vendor. I basically knew how You know how these You know VPN devices were made so I figured well if I can just get my hands on another one You know, I'll find all these problems. So Sonic wall happened to have a demo site so That's where I went and started doing a little poking around little research and sure enough Their base installer ActiveX likes to upgrade itself and it likes to reach out to whatever website is invoking it and download a nice Little executable and run it for you So we fixed that Sonic wall fixed it very quickly. They have patches available and You know, it was a great experience. So props to Sonic wall on that good company takes security seriously You know everybody's got problems, but they're doing the right thing So that's a little bit about SSL VPNs, but about a week ago week and a half ago before black hat Okay, never mind Who did you get a cert for? Login.live.com and how did you get it? I placed an order on a big CA's website for it He asked But don't worry SSL will totally save us all There are indeed a lot of things you think I'm even done with SSL. Oh, we can keep going So check this out a lot of there are actually a lot of SSL applications out there over web pages And how do they authenticate they usually use cookies, but okay? Wait, we have secure cookies. That means they cannot be read Over HTTP it however turns out they can totally be written over HTTP So you could have a user who is totally logged into a web app that is a totally perfect SSL web app And there's another window in the background. That's just oh, I can't read that cookie But maybe I can change it Do you know how many applications are actually set up to deal with someone else changing their cookie or more accurately changing some Of their cookies Nothing who you're seeing this error right here. Maybe as a web developer Who here hates this error? You guys do realize that this error is here What it's basically saying is if you click yes, the page is not secure at all in any way shape or form Think that error message makes that clear well, why don't we take a look at the Firefox version of that error message which is a 10 pixel red line through a lock which says well it tried to be secure, but failed I do like this So flash has a call that says allow insecure domain Not only does it have a call that says allow insecure domain, which does completely break SSL But it has a freaking manifesto against the call on the adobe site Whoever this guy is is my freaking hero. I've written things like this. I never got anything like that published That's legendary Then there's why is this secure the world's most depressing Google search for about two years ago There are all these financial websites that have login forms that are hosted over HTTP, but you know If you happen to put in credentials they promise your credentials will be provided over SSL and To make sure you know that it's safe because there's no picture of a lock on the browser. They show you a picture of the lock They all draw their own when it's so cute. I think this is what happened to pixel artists. They all went to make locks for bank websites Yeah, this doesn't work at all Look engineers are very good at security at engineering to the 99% case and the 99% case of security is no attacker So you see a lot of security as long as there's no attacker That's not useful guys So we do live in the future we've gone from 26% being vulnerable in 2006 to maybe about 5% in 2008 The financial sites are improving though. They are not perfect There's a good paper analyzing websites for user visible security design flaws But there are still a lot of sites using the oh wait, we want to protect our users passwords So we'll take the credential over pat over SSL and then switch back to HTTP for performance This does not help But people say but wait, okay, Dan. These are all at other layers at least the cryptos go to the SSL We're still using MD5 Okay Seriously for all the comments about us knowing DNS has been broken for like 12 years We've known MD5 has been going to fail for 12 years now Hans-Darberton did the math in 1996 and basically said yo This is gonna break. We need to stop using it and the United States government said holy crap Hans You're totally right and German you we totally do need to stop Using MD5 and the federal government decertified it quickly. In fact, I don't know why I say a decade later It was like two years later. I got to go fix that There's generation. Oh a decade ago. Nice week Generation of collisions on MD5 a couple years ago We actually have full-on cloning attacks against the predecessor MD4 protocol But we still use it and use it and use it until the moment it blows up in our face And then we're all gonna be surprised. I don't want anyone in this room to be surprised when MD5 fails miserably. Oh Yeah, anyone remember all certificates from Debbie and being bad. Oh Oh, yeah, people are saying none in a Kaminsky DNS bugs not very good Debbie and non-random number generator. That was the bug There's no competition guys. We can totally use both bugs at the same time Look First you go ahead you sweep the net you find all the certificates out there that were generated by Debian But by the way signed by legitimate certificate authorities. Don't worry about revocation. That doesn't actually exist So all those public certificates can be then computed back to their private versions and you can impersonate anyone because the CA did say This was a valid certificate But how do you get in the middle? DNS gets you in the middle. So you combine the Debian NRNG bug with the new DNS flaw and all of those sites That were once using a Debian generated cert are actually Unnear unfixably vulnerable for five years How nice is that? So we've known all these things about SSL. I know what you're saying you're saying all this is all old stuff blah blah blah Show me something new ha ha alright Why do you think SSL certificates are valuable? Although you might not know that Mike's told everyone you can just ask But assuming you can't just ask Anyone can buy a cert anyone can generate bits what prevents any of you besides Mike from generating a cert for www.microsoft.com Well, look CA's sell bits, but there is some meaning There's an identity and they want to sell say I don't mean they want to sell me a cert for doc spare dot com But not any of you. Well, what's different between us? Well They send me an email So Domain validation the way it works the way they make sure that they give a certificate to the right person is first They look up the domain and who is which requires a DNS lookup Then they send an email to the email address on file which requires another DNS lookup Or they visit the web page and look for a file which requires maybe a third DNS lookup Guess how secure SSL certificate delivery is in the face of a DNS attack not Or at least it wouldn't be if I hadn't spent the entire month of July taking calls from various random certificate authorities saying How did you know who I was and what is this I hear about a major attack? So Tom Albertson Kelvin you and Zotto Connor of Microsoft. I basically went to him and said Guys, I got a big problem with SSL. Can you give me emails 20 minutes later? I have a spreadsheet So bear sign Komodo did you search trust wave everyone went ahead? Evaluated whether had that they had a problem kept the whole thing secret This stuff was actually figured out this attack was figured out about the night before my black hat talk SSL shopper calm and they basically said aha the solution to this domain validation problem is you should get extended validation certificates Basically when you have your browser shows you a big green bar So here's the problem guys. Evie is just a display technology that just shows you a greater level of security It is not a code technology meaning if you have two windows open one for hb Cool S colon slash w w w food calm domain validated the other for hbs Www food calm extended validated the two windows can talk to each other the first window can actually run code inside of the other So extended validation does nothing against a domain validation attack Maybe someday it will but as Colin Jackson Adam bars showed us not today You know what else is interesting You know CAs have web interfaces to manage previously issued certs web interfaces. You have to sign into When I told everyone in July That the web was broken. I wasn't just talking about its clients. No, I was talking about servers, too Everyone confused who here doesn't see what's wrong Anyone? Rock. Yeah, check that out Forgot my password. How does that actually work? So you've got some website and you were supposed to have a password But ah you might forget and so you click forgot my password and it sends you an email, but email is broken guys It's really bad to have email broken because when you click forgot my password and email is broken There are three things that can happen first. Sometimes you just get the password in the email Which is great because people love sharing passwords between sites Second you get a reset password link, which still you're gonna get in but the bad the other for the victim will know Occasionally there are additional protections where it asks for personal information But number three is pretty rare number one and two are universal and they always always work So attacking forgot my password systems It's just an email meaning it forces a look up to an attack or controlled name You can actually create an account on a site Forget your password Get an email from the specific mail server that provides service for forget my password The mail server will talk to his name server the name server will talk to you you alone calm you alone Forgot my password and every account behind that web application It has been a long long month of July So I have spent all of July on the phone with Google and live and yahoo and PayPal and eBay and MySpace and Facebook and LinkedIn and Bebo craigslist live journal high five and Citrix Frickin go to my PC so This is very cool that everyone fixed this issue be nice if we had secure email in 2008 Now I'm not gonna say I got everyone because there's like a Hundred and seventy million instances of forgot my password forgot your password or forgot password But we did okay, and that's why it was so nice to have such uptake on this bug because holy crap I is not gonna be able to be on the phone with everyone So who here knows of open ID? Anyone still think open ID was gonna save the day Yeah, I love it. Here's a conversation for open ID. Hi. I'm friend my friend my friend can vouch for me Then stick us over here goes over to the identity provider and says hey dude. Is that really Fred? Identity provider says sure is Sticker says welcome to stick us right yippee Well, would that have helped How did stick is here find identity provider here? That's right DNS So it gets worse Crap this came out after my talk. So people were like well our Secure open SSL our secure open ID approach uses SSL and SSL will save the day Unfortunately, Ben Laurie went ahead and found that a bunch of the open ID providers were using SSL With a Debbie and misgenerated certificate This is a total I will be the first to say the DNS bug is a totally lame bug, but my god It seems good So right about now. You're probably thinking alright clients are hoes web 2.0 is hoes But my intro webs are safe. Are they are they really? Well, let us discuss the inconvenient matter of reverse DNS. We also own ARPA Those are words. I never thought I'd say so ARPA is the in-atter ARPA is the space that when you look up one dot two dot three dot four returns a BCD comm now What can you do with this? Well the obvious thing to do is spoof log entries in Apache We've had bugs in this for a while of the Apache double-overs look up log entries spoofing vulnerability A bad she basically gets an IP Looks up the name and then make sure the name goes back to that particular IP Well, you know what we control for DNS we control backwards DNS. We just win So if you're building a system do not just log the name that DNS tells you because DNS can lie Log the name log the IP address. There's also some interesting possibilities if you can fake a numeric TLD I don't know that this will work But I wonder if you can say that six six six six is in PTR is in reverse look up of one dot two dot three dot four Then he goes wait wait wait, let me look up one dot two dot three dot four and you know as an address I'm gonna say there's a dot four top level domain and its address is six six six six So you might actually get like log entries that appear to have an IP address that is that's totally totally faked You might say but Dan this is probably stopped by client-side API's Never presume an API is ever smarter than it had to be to ship it rarely actually is more reverse DNS sequel or script injection via client targeted reverse DNS Responses from reverse DNS are often thrown into a database we knew about this and the input is not necessarily sanitized when put into the database, but most name servers do some kind of sanity checking But we have attacks that get around name servers We spake the name server and the client libraries tend to suck So we can go ahead and say oh, hey, you want to insert something in your database? You know XP command. How you doing? To be honest is probably pretty unrealistic and painful to execute Who here was that my talk last year? It all works again So last year what I talked about was how to use DN. I need to get some beer here. My throat kind of hurts look Last year my talk was all about hey We have the ability to get connections from a web browser that are not actually HTTP We have plugins flash and Java that are giving us TCP and in Java's case even UDP access to the networks that were on well This I ended up using last year to build something of a VPN solution. You come to my network I get a VPN connection to yours. We trade if it's great um This was the bug last year everyone fixed flash fix this using cross-domain.xml wrote it right off the IP address Java fixed this by looking in reverse DNS Which we own So we get all the good stuff now again We get full TCP and UDP access but from any browser in your organization to any host behind the firewall Bonus your link is fully IPsec authenticating encryption because the web browser gets to play in full IPsec You don't get to go ahead and communicate with 127.001 in general, but you get everything else John He's been figured out how to get 127.001 Now spreading the fun If you have arbitrary socket access, you know what you can do if you have UDP port 53 to any IP address You can totally find other name servers behind the firewall and poison all of them too Beyond that Who here knows about the SNMP v3 bug? Ah, we didn't need to authenticate that router access anyway 256 packets and you get into any router that sucks They fix that sort of but you know what else you can do from Java at the web browser is you can spoof SNMP v3 But not spoof. You can just say hey, I've got a message. Are you a router? Would you would you? Would you like me to authenticate into you and reconfigure you so yeah Things that are bad because of a stupid little DNS bug DNS to Java Java to SNMP v3 SNMP v3 to more onage Alright, alright enough with the client bugs. What about servers? Are they vulnerable? Interesting question, which would you rather own BGP or DNS? Ah There's a four o'clock talk for the other half Check it out, right? Look, I'm looking at BGP and I say BGP controls the flow packets already destined for the internet Two boxes on the same land cannot be attacked with BGP because BGP is a routing protocol and two boxes on the land Do not route they use ARP to find one another There's also no specificity in BGP. You can't say I only want packets from here and This particular session at this particular moment and not from here You pretty much have to go all or nothing at least in terms of network regions And there's good amounts of visibility People can see in log BGP announcements decent amount DNS by contrast controls where packets are destined on the first place So the only reason those two boxes on the land used ARP and didn't route is because DNS told them They were on the same land and told them they didn't need to ARP if your DNS is bad Two boxes physically next to each other are going around to each other by way of Malaysia Beyond that there's some specificity in DNS You can say for each query you said a TTL is zero and you can choose Connection by connection by connection. I want this one not that one this one not that one And here's how long I want it for you get incredible amounts of control over just how much traffic You're gonna hijack and you have very low visibility because seriously Nobody's looking at DNS traffic or at least nobody visibly So as I thought at Blockhead DNS was obviously a better thing to look at than BGP, right? Yes, and then I met the guy Here who's a close-off who's actually doing BGP ponage here at DEF CON and he kind of sent me straight He's like Dan, you know, you can use BGP to hijack DNS traffic and it totally gets around your patch Yes, yes, that actually totally works, too. So There's a talk going on called stealing the internet. No really at 4 p.m. in track 4 It only works if you have BGP connectivity, but do you trust everyone BGP connectivity? I got some score for you Pakistan one YouTube zero So there is some difficulty you cannot poison authoritative records on servers at least with the DNS rake attack Now you can poison clients You can have the client go ahead and think that there's a record that you're then gonna own But the server side it's you this is a cash poisoning attack If a server is configured to be the authoritative server for something It's not loading it out of the cash. It knows the answer other caches come to it so a Lot of there are places there are a number of places where people are talking to only primaries or secondary authoritative servers So there is a infrastructure called isolated split brain where Individual desktops just never ever ever do DNS to the outside world. These things are really really safe Active directory is pretty heavy on primaries. It's pretty safe. There's no cash to crop there for internal names That's the big thing. I mean everyone's thinking about DNS cash poisoning for like google.com. Yeah, try your internal servers So one time in history that the flat names that Windows use are actually a security benefit Split blame environments are heavy on forwarders, which are somewhat safe because you don't know the destination of the forwarder However, if you have Internal name servers that are going out to the internet that are going off to some public store for names There's no split brain. It's just on the internet. You can get internal addresses It's game on Because when you think it goes to the internet server to find out what the internal company IP address is That's not going to be the internal company address anymore So what can happen when internal DNS goes bad? Oh my god So network engineers have been awesome, right? They've been complaining that the patch is slow They've been complaining that how much time is it? Okay, they've complained the patch is slow They've complained that patch is hard the patch conflicts with Nat the patches on pain in the ass But what they haven't said is we don't need to do this You know why because they totally know how long they've been ignoring the security community They know what kind of trouble they're in. That's why it got patched so much. So Tell that behind the firewall. Oh, yeah, SNMP behind the firewall. Yep Authentication servers, you think that's your radius server you're talking about no Back up restore the SOA architectures which was all back to names It's DNS that actually tells you the address that is the next hop for your internal data processing Back-end databases. This was a tweet by this guy Sean Moyler. It was actually a black hat. He's like joking He's like, oh, I think Dan was talking to me about DSNs apparently documenting found a way to hijack everyone's ODBC connections or something Sean was joking, but that actually works, too I'm like sweet Here awesome. Thanks, man. I can't has your sequel queries. Come up and grab a drink All right, but and even if internal DNS is hard to hit external dependencies are totally fair game because there are So many connections between companies DNS controls house servers find each other now that link might be secured if SSL is used Is anyone actually checking certificates because that ain't a freaking what is it not? Yeah, that's not a browser So it's probably not checking sorts. God is depressing that that's true IP sec is great People use IP sec to connect between networks and IP sec rules are triggered for particular routes routes are tied to IP addresses DNS controls what IPs are used if DNS is corrupt You may not go over the VPN in the first place DNS changes destination subnet therefore DNS can get around IP sec validation So someone said that's why you use x509 certificates and pre-shared keys I'd like to point out how practiced a reply that was because everyone gets it wrong so Ultimate external dependencies payment processing your off-site backup now is not a good time to have an insecure link to your off-site stores I'm not saying anyone does but if there's a scintilla of a chance patch patch patch SNMP into the ink against the internet Somebody is using SNMP to log into machines on the internet You're probably using DNS to find them if you would like to not provide the SNMP community strings and access codes to the outside world You might want to make sure your DNS is fixed Also, you're parsing asn1 from the outside world one of the things we learned in 2002 Which is one of the last big patching efforts asn1 parse asn1 is probably the world's most miserable protocol in the world to parse Servers might have gotten locked down, but this is the third age your clients better be good to Search engine optimization is always fun. There's search engine optimization, and then there's owning Google's DNS Yeah, and then who here has ever put files on a content distribution that work out of curiosity I Akamai or limelight ever wonder how that actually happens where they get the data in the first place Well, you provide the CDN and hdb url Which uses DNS pulls down data and hosts it to the internet It would be really really really bad if Akamai or any of the other content distribution networks had bad DNS So it has been a an interesting ride through what a stupid lame I'm the first to say this bug should not nearly be as interesting as it actually is The reason this bug is interesting is because everything else is hosed So summary DNS servers had a core bug which allowed arbitrary cache poisoning the bug works even when the host is behind a firewall There are enough bearing into the bug that we needed a stopgap before working on something more complete Industry rallied pretty ridiculously to do something about this with hundreds of millions protected DNS clients are at risk in certain circumstances, but we're really focusing on servers for now We are entering or perhaps holding back for a little longer a third-age of security research where all network apps are fair game Where the online games are at risk where the instant messengers are at risk where IRC is at risk in the real world Auto update itself, which is all over the place is repeatedly being done really really badly SSL, which is supposed to save the day every time you look at it. It shoots itself in the face the In fact SSL search themselves are dependent on DNS DNS bugs ended up creating something of a skeleton key across all major websites despite independent implementations Internal networks are not excluded because the only thing that keeps things internal is DNS and from the effects of Java Hey, look we get full TCP and UDP access back behind the firewall again. Your firewalls aren't doing much right now either So finally, we're not even populating CDNs securely. How do you think every day everything else is going? So that's kind of what this talks been about and that's why I did a month of went through a month of all of this stuff There are some people that said it was a lot of hype and you know what there was a lot of noise Because oh my god people needed a patch. They actually really truly did need to patch All I said is there was a bug People called BS on me. This was my reply Lessons learned We have got to get better at fixing infrastructure. We got really lucky with this bug We had an amazing number of people not just me all I did was find a bug and tell people they needed to fix If you look at the actual hours that I spent on this versus all the IT Administrators in the world and even the companies that wrote the patch if I have point 001% of the hours invested I would be shocked and appalled Everyone came together to fix this thing This time but the next bug is not going to be this smooth because frankly There's just going to be so many more people involved Because it's not going to be the kind of thing that can be kept secret for this long We need to have disaster recovery plans that include how to handle the discovery of a flaw in any mission critical code Anywhere we need to have bosses is that say your router may get owned and you have 24 hours to patch And you have to know how that's going to work and if you need to rearchitect things you need to look serviceability is survivability and no one has ever made the link that says how Serviceable a network is is a major selling point is a major metric for the quality of a system It's not about what how the network works when things are going right It's about how the network works when things are going wrong and serviceability is ultimately the measure of software flaw survivability We also know that cooperation cross-cost competitors Researchers and by the way government can indeed be very productive when you have a hundred and twenty million users protected from just one of The providers and it's not even the biggest that's pretty cool a lot of people do not realize The degree to which people have been ignoring security research and security guidance You and I know what people should be doing, but my god There's a lot of crap out there if you actually look as Mike Zussman actually looked His talk should not be a big deal. His talk should have been known for years But I was shocked So we're doing a lot of things in securely and even with DNS fixed There are a lot of scenarios which unencrypted IP traffic has lost to the attacker There is no saving the internet There is postponing the inevitable for a little longer and every one of you as a security in person in this field Get out there get people to fix their stuff It's the only thing we can possibly do to help and that's what I've got at least that's what I've said for now