slipping past the firewall
DESCRIPTION
Slipping Past the Firewall. DNS Rebinding with Pure Java Applets. Billy K Rios (BK) and Nate McFeters. Implications of DNS Rebinding Attacks The Attack Demo Final Thoughts Questions?. Overview. Some Thoughts about Firewalls “I prefer pwning the server :p” Client Side Technologies - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/1.jpg)
Slipping Past the FirewallDNS Rebinding with Pure Java Applets
Billy K Rios (BK) and Nate McFeters
![Page 2: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/2.jpg)
Overview
• Implications of DNS Rebinding Attacks
• The Attack
• Demo
• Final Thoughts
• Questions?
![Page 3: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/3.jpg)
Implication of DNS Rebinding Attacks
• Some Thoughts about Firewalls – “I prefer pwning the server :p”– Client Side Technologies– Heavy Doors with Open Windows– Sun Tzu was a Hacker….
![Page 4: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/4.jpg)
Implication of DNS Rebinding Attacks
• JavaScript – Sockets?!?!
• Flash – Sockets!
• LiveConnect (Firefox and other Gecko Based Browsers) – Sockets!
![Page 5: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/5.jpg)
Why JAVA Applets?
• David Bryne– Java Applets? ….. Actually LiveConnect (Firefox only!)
![Page 6: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/6.jpg)
• Princeton Computer Science PHDs?
Why JAVA Applets?
![Page 7: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/7.jpg)
Why JAVA Applets?
• Sockets!
• Abstraction
• Libraries / Classes– JDBC– SSL– Others
• Remote Control over Java Applet
![Page 8: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/8.jpg)
The Attack - Setup
The Internet
XSSd Web Site
Victim
Attacker
Oracle DB
![Page 9: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/9.jpg)
The Attack - Setup
![Page 10: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/10.jpg)
The Attack - Setup
![Page 11: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/11.jpg)
The Attack - Setup
![Page 12: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/12.jpg)
The Attack - Setup
![Page 13: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/13.jpg)
The Attack - Setup
![Page 14: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/14.jpg)
The Attack - Setup
![Page 15: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/15.jpg)
The Attack - Setup
![Page 16: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/16.jpg)
The Attack - Setup
![Page 17: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/17.jpg)
The Attack - Setup
![Page 18: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/18.jpg)
The Attack - Setup
![Page 19: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/19.jpg)
The Attack - Setup
![Page 20: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/20.jpg)
The Attack - Setup
![Page 21: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/21.jpg)
The Attack - Setup
![Page 22: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/22.jpg)
The Attack - Setup
![Page 23: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/23.jpg)
The Attack - Setup
![Page 24: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/24.jpg)
The Attack - Setup• Close The Browser
– Closing the Browser Destroys the Instance of the JVM– Applet Remains cached till 2010
• Call an External Java Supported Application– Firefoxurl, Navigatorurl, Picasa…– Each Application has its own instance of the JVM– Applet Remains cached till 2010
• Load Different Versions of the JRE– Somewhat limited in newer versions of the JVM– Maybe removed in the future– Applet Remains cached till 2010
![Page 25: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/25.jpg)
The Attack
![Page 26: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/26.jpg)
The Attack
![Page 27: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/27.jpg)
The Attack
![Page 28: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/28.jpg)
The Attack
![Page 29: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/29.jpg)
The Attack
![Page 30: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/30.jpg)
The Attack
![Page 31: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/31.jpg)
The Attack
![Page 32: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/32.jpg)
The Attack
![Page 33: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/33.jpg)
Remotely Controlling the Applet
• Script Src – Remote JavaScript is loaded Via Script Src– Dynamic Content (Despite Caching)
• JavaScript / Java Applet Interaction– Public Methods– Public Variables
• Remote Control Through an XSS Proxy (XS-Sniper)
![Page 34: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/34.jpg)
DEMO
![Page 35: Slipping Past the Firewall](https://reader036.vdocument.in/reader036/viewer/2022062315/56815d32550346895dcb2b9a/html5/thumbnails/35.jpg)
Questions and Final Thoughts