New Explot FTW: The Internet Pwns j00

[Ookii]

So basically this guy named Dan Kaminsky figured out how to turn your browser into a 'vpn concentrator', from the arcticle:

The technique originates in the browser security model, based on same-origin policy. This allows a web browser, either using JavaScript or Flash, to connect back to the same host that the content came from. If the attacker changes where the hostname is pointing to, the browser can connect there. For example, the next time you connect to attacker.com, the DNS server actually serves you a 192.168.1.1 address, allowing the webapp to connect to your internal IP.

The POC at http://www.jumperz.net/index.php?i=2&a=1&b=7 worked on my corporate network too, and apparently there is nothing you can do to stop it at the moment.

The Original Article: http://radar.oreilly.com/archives/2007/08/your_web_browse.html
More Whitepaperish: http://www.megginson.com/blogs/quoderat/2007/08/01/protecting-web-sites-and-services-from-dns-rebinding-attacks/

So basically right now if someone knows where something is in an internal network, and can get you to visit their website, you're pwned.

[Ironwood]

Scaring the fishes.

 

[Oban]

I sent this to my web devs and have yet to hear from them... never a good sign.

[Sky]

Cool link, thanks. I sent it to the librarians who are messing themselves trying to figure out how to make everything web 2.0.

Fucking buzzword douchebags. I prefer Shut The Fuck Up 1.9.

[Roac]

I sent this to my web devs and have yet to hear from them... never a good sign.

Please wait for 15 seconds.
f1()
ERROR: Access is denied.
ERROR: http://jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1
ERROR: 50


Can't get it to work.  Well, won't work for us at all anyway because all our websites require a host header, which the poc won't accept.  I tried setting up a default page on the default website for it to hit, but it can't see that either.  Then tried setting up a default on localhost, and it's not getting even that.  Firefox was more interesting, but still didn't work:


ERROR: uncaught exception: Security Error: Content at http://jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1 may not load data from http://www.jumperz.net/index.php.

[Trippy]

This isn't a "Web 2.0" specific thing.

[Sky]

This isn't a "Web 2.0" specific thing.

I know but he does mention the vulnerability and his trepidition of the security of Web 2.0. If he's worried, I'm worried :)

[bhodi]

that is slick.

[Trippy]

BTW this security flaw is much more worrisome:

http://www.tgdaily.com/content/view/33207/108/

[bhodi]

That's not a new flaw, it's a one-click tool that someone put together to exploit it. If you've got unencrypted traffing going over the air, you should expect to get your cookies stolen.

[Oban]

BTW this security flaw is much more worrisome:

http://www.tgdaily.com/content/view/33207/108/

Why in god's name would you use webmail without a secure connection?

Download better gmail if you use firefox.

[Trippy]

That's not a new flaw, it's a one-click tool that someone put together to exploit it. If you've got unencrypted traffing going over the air, you should expect to get your cookies stolen.

I didn't say that was a new flaw.

[Sky]

If you've got unencrypted traffing going over the air, you should expect to get your cookies stolen.

I'm trying to get my father to understand this. I think my next bit of advice for him is to sell his computer. He;s somehow broken every firewall known to man and doesn't use them anymore because they 'break his computer'. He also claims to have spent hours on the phone with every incident. Poor customer service, I never know what the hell he's talking about and I share half his DNA.

If I were a hacker, I'd move to Florida. Lots of retirement accounts and dipshit old people accessing them through wireless connections in the park.

[Furiously]

I suppose. But isn't it like taking candy from a baby?

[Sky]

Candy is tasty.