DNS Pinning Doesn’t Exist in Flash
Kanatoko published a very interesting issue in Flash where apparently it doesn’t follow the browser’s DNS pinning cache. So while DNS pinning plagues us and can be circumvented in some very interesting ways, Flash doesn’t adhere to the browser’s DNS cache and instead you can query directly (you just need to wait).
So Kanatoko produced a demo in Flash that does Intranet port scanning in Flash - it’s actually relatively fast too. It only scans one host, but you can see how this could easily be expanded upon without too much work. Very nice work Kanatoko! This would definitely make attacking Intranet applications much easier.
February 5th, 2007 at 12:48 am
I run all my window’s browsers as a limited user using sysinternals’s psexec. I noticed when i ran Kanatoko-san’s demo it could only port scan ports 1024 and higher.
So besides being a great (although nowhere near fullproof) protection against arbitrary shellcode running in your browser, it also protects against flash (JS?) port scans..
February 5th, 2007 at 11:54 am
Hmm… interesting. I wonder why that would make a difference. Do you know if this limits the Java socket from binding to those addresses as well, or is this limited to flash?
February 5th, 2007 at 1:54 pm
I’m pretty sure its a flash thing, because its even mentioned in their docs: http://livedocs.macromedia.com/labs/as3preview/langref/flash/net/Socket.html#eventSummary (check the description for the securityError event)
And while it doesn’t provide an explanation there, the admin privilege lock seems fairly reasonable.
February 5th, 2007 at 2:15 pm
takuan
How is it when you use Administrator?
February 5th, 2007 at 2:26 pm
Question … It wouldn’t be easier to stop most of the hacking if:
Make PHP virtual command filter?
so in php.ini there is
username myself
1-a test your script.
1-b working ok ? then run phpsafe. so all your php commands become command as in ifhardtogetme(), casehardtogetme(), $_SERVERhardtogetme[] , etc….
and php will interpret your commands ok, because you had setup php.ini with that suffix for you.
At least the hacker can’t tell which commands php is working with, what can he do if he does not know the php commands the engine works with?
Of course, the same with mySQL. so how a hacker will inject any query if does not know the virtual language as in SELECThartogetme your’e using?
You can program with the commands as they actually are, so there is no burden for that.
You could hardcode some script with the suffixkey already if needed.
Of course this has nothing to do with encryption, is hidden.
echohardtogetme “is it possible?”;
Since CONSTANTs can’t be redefined, you could do your very first command.
define (”PHPSAFE”, ‘TEST’) php is in test mode, so it interprets commands with and without suffix.
within a production script
define (”PHPSAFE”, ) will only interpret commands with your suffixkey on them.
Not possible?
then Second Chance, let me rename the most dangerous commands
so in php.ini there is
username myself
For mysql I would do SELECT = Zendyect
How the hacker would know how to use sockets, mail, mysql, queries or any?
I have another idea for Javascript, similar but not equal, because is the client side. Would you want to know about it?
February 5th, 2007 at 2:27 pm
takuan-san
Are you Japanese?
>it could only port scan ports 1024 and higher.
It occurs when you can’t make a direct connection to www.jumperz.net with TCP.
Because of the default restriction of the FLASH, the FLASH file in the demo need to load a policy using a XMLSocket server to connect to the low ports.
There is a XMLSocket server running at www.jumperz.net:2.
This server sends a response like below to the loading policy request.
–
–
In the demo, If you see this,
–
Checking connectivity…
Connection failed.
Could not make a direct connection to the server.
Only port 1024 and higher can be scanned.
–
It means that the FLASH couldn’t load a policy.
This is very complicated
February 5th, 2007 at 2:31 pm
>This server sends a response like below to the loading policy request.
Ah, sorry.
See this: http://www.jumperz.net/fuga/policy.txt
February 5th, 2007 at 6:36 pm
>>Do you know if this limits the Java socket from binding to those addresses as well, or is this limited to flash?
I think it’s limited to flash..
>>How is it when you use Administrator?
It port scans everything very nicely, and returns the http response from my web server.
When i run as a limited user i get:
Checking connectivity…
Connection failed.
Could not make a direct connection to the server.
Only port 1024 and higher can be scanned.
Please wait for 12 seconds…
CLOSED: port 3306
CLOSED: port 5432
CLOSED: port 8080
CLOSED: port 1080
CLOSED: port 1433
CLOSED: port 1434
CLOSED: port 1443
CLOSED: port 1521
CLOSED: port 5500
CLOSED: port 6000
CLOSED: port 6667
CLOSED: port 8008
CLOSED: port 31337
CLOSED: port 10000
>>It means that the FLASH couldn’t load a policy.
>>This is very complicated
Indeed, i sure don’t understand.. try to explain more ^.^
>>Are you Japanese?
まあ、見た目は一応白人ですが、中身は大和魂ですわ!
February 5th, 2007 at 10:42 pm
takuan-san
Thanks for the information.
It seems that there is a difference between Administrator and a limited user about network access.
Please try this command on both user( Administrator and a limited user ).
——
telnet www.jumperz.net 1111
——
If the results are not the same, that is the reason.
>まあ、見た目は一応白人ですが、中身は大和魂ですわ!
“takuan”というニックネームは最高ですね^^
February 6th, 2007 at 5:09 pm
Yeah, i think my windows telnet is broken b/c i couldnt connect at all. I tried from my linux box with root and non-root and both worked fine.
After thinking about this a little bit i remembered that limited users can connect to any port, they just cant bind the privileged ports below 1024. So it never should have made a difference in the first place. But what is wierd now when i try it (tested only about 3-4 times with opera & firefox), it works! For whatever reason, i dont get the “Checking connectivity…
Connection failed.
Could not make a direct connection to the server.” error anymore….
Wierd.. I wonder whats going on. Doing a packet dump, i verified that the source ports are in the 4500 range so user permissions should not be an issue..
>>“takuan”というニックネームは最高ですね^^
有難うございます!沢庵和尚でございます。
(漫画読みすぎて申し訳ございません)
February 6th, 2007 at 5:21 pm
On second thought.. i’m stupid..
“Windows systems do not implement privileged ports. As a consequence, anybody can bind a TCP or UDP server on a low port.”
February 9th, 2007 at 11:06 am
takuan san
Can I ask your e-mail address?
My address is “anvil_at_jumperz.net”