LAS VEGAS—A creaky old DNS rebinding design flaw has been dragged out of the Internet's attic, had the dust blown off and shown to be freshly poisonous.

As Dan Kaminsky, IOActive's director of penetration testing showed at the Black Hat conference Aug. 1, all he needs to bypass firewalls, penetrate VPNs and remotely cherrypick any resource available on a vulnerable system is to bounce off a lured Web browser.

DNS rebinding is an exploit that dates back to 1996, from research done at Princeton University.

Here's how Kaminsky explained the attack, which depends on the fundamental workings of the client side of the Internet: Web pages are pulled together in the browser from pieces that can come from all over the place. One page can even be embedded inside another page—that's called an "iframe." The thing is, if someone embedded a Hotmail page into another page, does that mean whoever's viewing the shell page is logged in to the embedded page? Would that person be able to read the Hotmail messages?

In theory, no, due to SOP (same origin policy), a security measure for client-side scripting (mostly JavaScript). SOP says you can look, but you can't touch. A Web page can embed Hotmail, but it can't peek inside and read somebody else's mail.

That policy is meant to provide security and privacy, but it's also a basic flaw in the architecture of browsers. Say that foo.com has an iframe to foo.com, meaning that it can look inside itself. If foo.com has an iframe to bar.com, it can display bar.com to the user, but it can't peek inside and see what the user sees. SOP dictates that if two things come from the same place, they must be trusted at the same level.

And coming from the same place means you have the same domain name, right? No. Names don't host anything, Kaminsky said—that's the job of an IP address. DNS is used to translate between a name we trust and an IP address we communicate with. Foo.com = 1.2.3.4, and Bar.com = 3.4.5.6. The assumption is that these name translations don't change.

However, in reality, both foo.com and bar.com can return any IP address, at any time, whether they control that IP address or not. Hence, bar.com can return foo.com's IP address. It could point to a server in Europe, say, and then switch in the next moment to point to a printer down the hall.

Now suppose your browser loaded a page from each address, Kaminsky said. The content from both the European server and the printer down the hall would be seen as coming from bar.com. According to SOP, the server in Europe can do whatever it wants to your printer, given that they're coming from the same place, at least theoretically.

The server can't get past a corporate firewall, but it doesn't need to, Kaminsky said. It will just use the browser to do its dirty work, instructing the browser what to do, and the browser will report back detailing whatever your printer is up to.

What's the cost of cybercrime? Click here to read more.

It's an attack that takes advantage not of a bug but rather the intended design of the Web, Kaminsky said. The browser can't tell external IP from internal IP if both are coming from bar.com because it's not supposed to. "Major Web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another," he said.

Detecting that there's a cross-IP scripting action occurring is a start to addressing these types of attacks, but what to do after that is what people are trying to figure out, he said.

And here's where the fun really starts: with bypassing the firewall. Most corporate networks differentiate between external and internal network: Internal resources can route out, and the network is shielded from external resources trying to route in.

But by bouncing off a lured browser, an attacker on the outside can access resources on the inside, Kaminsky said. And by "resources," he means anything your machine can access: files, database ports, Web services, you name it.

Getting around a firewall sounds exotic to a U.S. audience, Kaminsky said in an interview with eWEEK, but we're in the minority. Censorship's a problem on the Web in many if not most countries outside the United States. In China, for example, the average knowledge of a child regarding how to set up a proxy and how to bypass filters and firewalls ranks at what Kaminsky considers to be master level. "There are countries where the average user knows how to get around the firewall," he said.

An associated attack, XSRF (cross-site request forgery), has been used in the wild recently. One incident was during the time of the Super Bowl attack. Two days before Super Bowl XLI, a malicious image was placed on the official Super Bowl site. More than 1 million desktops were compromised overnight.

In addition, Boneh's team at Stanford has tested a Flash applet placed on an ad network and distributed across many Web sites. It acquired partial network connectivity to client LANs and exposed 100,000 networks.

This is not the type of security vulnerability story that has a section that says "and to fix this bug, so-and-so vendor has supplied patches that you can get at such-and-such site." No, this is the type of vulnerability that is so fundamental to the machinery of the Web that Kaminsky, when asked what to do about DNS rebinding, said we basically have to stop and look at what our model is for private information.

"Everyone needs to realize that we have a tremendous gap in how the Web works," he said. "People are trying to put a lot of private information on there. DNS rebinding, cross-site scripting, cross-site request forgery, these bugs are pernicious, and they're not going away."

In fact, what we will need at some point is a reimagining of how security works on the Web, Kaminsky said. "I didn't come up with these rebinding attacks. They've been floating around since 1996. They've been talked about since 2006. I'm trying to get people to realize these bugs are exposing their corporate networks and threatening to cause them to [lose the ability to know who they're dealing with online]. … People should not be able to borrow your Net connection just because you browsed to their page. They shouldn't be able to attack your network IP for whatever weird thing," he said. "Or we can stop using these things for any private reasons. And these bugs are threatening commerce on the Internet. I want to protect commerce on the Internet."

But of at least equal interest to Kaminsky is that this DNS rebinding attack can be used to test Net neutrality.

Page 2: The Good, the Bad, the Net Neutrality Detector