Closed Bug 174590 Opened 22 years ago Closed 21 years ago

DNS "Pinning" behavior leads to security hole

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: eliasen, Assigned: darin.moz)

References

Details

The current behavior for DNS "pinning" leads to a security hole which allows
information to be sent to the wrong server, even without evil intent.  Scenario
is described below.

I believe that the current behavior to cache DNS entries forever is a standards
violation.  The standard for DNS, RFC 1035 states:

   - With the proper search procedures, authoritative data in zones
     will always "hide", and hence take precedence over, cached
     data.

   - Cached data should never be used in preference to
     authoritative data, so if caching would cause this to happen
     the data should not be cached.

DNS TTL information is not something that a single application should decide it
doesn't want to abide by.  

There has been some discussion that the current behavior is in response to a
"security" issue.  The current behavior, however, exchanges this for a more
common security problem, which occurs even if nobody is actively trying to steal
information.

 Refusing to abide by the TTL parameter from a DNS lookup is every bit as large
of a security hole, perhaps larger.  Using a cached, expired DNS lookup (such as
for those users using dynamic DNS services,) will end up sending the wrong
information to the wrong server, possibly an e-vil server.

Scenario:

1.  My home server, using DHCP, receives a dynamic IP address of 12.13.14.15

2.  I register the dynamic service myhome.dyndns.org to point to 12.13.14.15

3.  User Alice visits my web site, using Mozilla, and begins a transaction.

4.  My DHCP lease expires and I am given a new IP address of 12.200.200.200

5.  My server detects the change and automatically registers myhome.dyndns.org
to 12.200.200.200

6.  My old DHCP address, 12.13.14.15 is given to Bob Evil's computer.

7.  Alice finishes filling out a web form in Mozilla and submits it.  Mozilla
erroneously uses the cached IP address 12.13.14.15, and the data is incorrectly
sent to Bob Evil's computer.  

   The information sent may be stored in the HTTP log or may generate errors. 
Private cookies that allow the Bad Guys to forge Alice's session or impersonate
Alice will also be sent.

This bug also creates two major usability problems for Mozilla:

1.) I run a server from home on my DSL line.  My IP address changes
periodically, so I use a dynamic DNS service like dyndns.org.  This allows me to
use the same fully-qualified domain name that always maps to my home server.  It
works perfectly in every single application *except* Mozilla, which gives "Could
not connect to server" errors because it caches DNS entries forever.  Shutting
down the browser works, but it makes everyone think that my server is actually
down.  No other browser has this problem.

   This happens quite commonly with a dynamic IP address.  I've ended up hitting
other peoples' DSL routers (if they have no web site set up) instead of my own
server with Mozilla, even though I've registered a new IP address, and DNS
lookup gives the proper new address.

2.) Load-balanced or fail-safe corporate server farms that use round-robin DNS
are actually made *less* reliable using Mozilla's DNS caching mechanism.  If one
server is overloaded, taken down, or crashes, Mozilla is unable to connect using
the old, expired DNS entry.  This is one reason that some companies don't like
to use Mozilla.  It makes it appear that their web servers are down, when
they're actually available all the time due to clever fail-over and DNS-based
load balancing.
Severity: major → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Dupe of bug 162871. See also bug 151929 comment 7 : the 'pinning' is the result
of some security fix a while ago.
Oop, I misread. This was split off bug 162871 ofcourse.

BTW : my daytime job is for a for telecommunciations manufacturer (I'm the
developer of one the largest access servers in the world). Our software also
shows this 'pinning' behaviour for a very good reason : security. We monitor
remote clients and servers continuously for any change. We're not even fully
respecting the TTL, we'll query the real DNS-server at least once an hour just
to be sure if we can catch any change in address (TTL is basically useless if
it's too large).

But the difference is that we're *not* going to switch to the new ip-address
directly. We could easily have a DNS-server that was hijacked (already
happened), or that was misconfigured (happens even more :-). No, if the
ip-address is changed, we'll warn the operators to double-check if the change is
allowed (the remote address is controlled by a another network provider).

I agree that we have a problem with load-balancing webservers and webserver with
multiple addresses. We really should try all existing ip-addresses before
deciding that a webserver is unreachable.

But when the ip-address of your webserver changes (when we fixed bug 151929), we
should *not* use the new address automatically. What we should do is to warn the
user that the ip-address is changed, and ask permission to continue. This should
especially happen when we're in the middle of a transaction !
That behavior would cause a lot of user confusion. Most users don't even know
what DNS is; they will be annoyed to be prompted with warnings they don't
understand. When companies use products like Cisco DistributedDirector, DNS
information for a given hostname can change often. I really don't think we want
to pop an error or warning every time a user runs across this.
No, load balancing wouldn't be affected, you get only the warning when a
DNS-lookup changes to a completely different address, most likely because it
dynamic DNS address. A name that maps to 2 or more ip-addresses (poor-man load
balancing) won't trigger such a dialog. A hardware ip-switch hides several
servers behind 1 static ip-address - that won't change. A redirector that uses
regualar http-redirects to implement load-balancing (like used by Hotmail) won't
be affected.

If you really hate these dialogs to pop up, then I guess you want to remove
those security popups that occur on https-sites too (untrusted certificate, etc...).

I only want an extra dialog-box to warn me when an ip-address changes, so we can
avoid the Princeton exploit (see bug 149943), while avoiding the security
problem I see almost every week in my daytime job. The black-hat community is
really using these exploit to attacks access-servers all over the Internet.
Holding an ip-address in memory forever is a security problem, but allowing it
to be transparently changed is a security problem too! 
DistributedDirectors can and do change the IP address returned for a given
hostname on a regular basis (with a short TTL on the A record). That is one of
their features, and people do use it. It WILL cause your proposed dialog to be
triggered under normal circumstances. 

If the SSL cert matches, you're fine (or you have bigger problems). If you're
not using SSL, you have no assurance that you're talking to who you think you're
talking to anyway. There's no security to begin with when you're relying on DNS
alone.


This problem manifests itself at http://www.techtv.com/ which sends rather
short-lived TTL information for its A record.  After going for food and trying
to reload a page, I got "could not connect to server" errors.  From
packet-sniffing my connection, I could see that Mozilla was trying to use an
incorrect IP address that did not match authoritative DNS data.  Other browsers
worked fine.

Restarting Mozilla fixed the problem.
This bug also occured today on the extremely popular sites
http://www.amazon.com/ and http://us.imdb.com/

These sites use Coyote Systems Equalizer which tends to hand out DNS records
with a TTL of about 60 seconds.  Verified via packet sniffer that Mozilla was
not sending to the authoritative IP address as returned by DNS.  Repeatedly got
"could not connect to server" error.  Other browsers were able to connect.
I'm curious as to how the current security "fix" improves matters any.  If the
DNS record is already compromised when you start up Mozilla, then this will
"pin" to the compromised address for the whole time Mozilla is running.  If the
DNS server gets "uncompromised," you'll be pinned to the evil server and never
pick up the right one! 

There is no reason to believe that the address returned at whatever random
moment you first did a DNS lookup of a site is secure and other subsequent times
would be more insecure.  The "security fix" seems valueless, as it is based on
flawed assumptions.

The timing is completely random, based on the time you start Mozilla.  This is
the worst type of "security fix," one that not only leads to a false sense of
security, but is simply unable to improve security, and a violation of
standards, and opens other, more common security holes and usability problems
that don't require evil intent.  The "security fix" should simply be removed as
its benefit is purely illusory.
Re: Comment #8.

You've mis-understood the problem pinning fixes. The problem is this: Let's say
that I, an evil attacker at www.evil.com, want to connect to a host behind your
firewall. Well, my problem is that darn firewall blocking me.

One day, I notice that JavaScript could be used to do it, except that JavaScript
can only make connections to the host it was downloaded from. So, being the Evil
Attacker that I am, I wonder "what exactly is defined as the 'same host'?" I
find out that it is a DNS based definition, so same host means 'same hostname'.
I then realize that I could set up an evil DNS server, with the following
behavior: On the first hit from your IP address, it returns 208.225.90.120, my
Evil IP Address; on the second hit, it returns 192.168.1.1, the
behind-the-firewall IP I want to attack.

So, here's what happens:
   1) You visit www.evilporn.com (or whatever)
   1(a) The IP address is 208.225.90.120
   2) You download some javascript from www.evilporn.com. This javascript
      sets itself up to do some stuff after the TTL on www.evilporn.com
      expires.
   3) The JavaScript timer fires. It attempts to access 'www.evilporn.com'
   4) Security policies see that javascript is trying to access its own
      server, which is OK.
   5) you resolve www.evilporn.com
   5(a) The IP address is 192.168.1.1
   6) Javascript hacks your host 192.168.1.1.

Pinning stops 5(a) by making the IP address still be 208.225.90.120, so I wind
up attacking myself.
How about, when a page is retrieved, the hostname/ip address of where that page
was retrieved from is cached with that page, and any javascript on that page
will always use that cached ip address for any 'same host' communication.  

I've been bit by this a couple of times, just recently with sourceforge when
they changed to a new IP.
How does pinning of hostname->address help security anyway?

I guess that (please correct me if I'm wrong) JavaScript in a document from host
www.evil.com can not only access the DOM of documents from the same host, but
also from evil.com. If that is true, slightly modifying the attack that led to
the implementation of pinning would render that countermeasure completely
useless (leaving only its ugly side-effects):

In the DNS, attacker has:

www.evil.com A 1.0.0.1 ; address in the attacker's network
evil.com     A 10.0.0.1 ; some address in the internal network of $victim

Now, when $victim loads <URL:http://www.evil.com/>, a JavaScript on that page
could (if my assumption is correct) access evil.com, which is a host on
$victim's network. No changes of IP-addresses involved, hence pinning won't
defeat this attack.
> please correct me if I'm wrong

You are wrong.  www.evil.com and evil.com are totally distinct for security
purposes; the only way for one to access the other is if they both set
document.domain to evil.com.
>> please correct me if I'm wrong

> You are wrong.  www.evil.com and evil.com are totally distinct
> for security purposes; the only way for one to access the other
> is if they both set document.domain to evil.com.

I am sorry, I need to insist. According to the documentation at
<URL:http://www.mozilla.org/projects/security/components/same-origin.html>, in
my example, the attacker on http://www.evil.com could legally set
document.domain="evil.com"; making his evil pages' equivalent origin the *same*
as the origin of the $victim's internal server at http://evil.com, eventually
allowing him access.

I hope I'm not still mistaken with this extended description.

Thank you for replying during your vacation, btw.
Boris is right, both pages have to set document.domain="evil.com" explicitly
(even if that's the implicit value for one of the sites) in order to prevent
just the attack you propose. This was not always the case and old documentation
may not have caught up. IE 6.0 SP1 reportedly also made the change to require
both pages to have set document.domain explicitly. That's a completely different
problem so please don't drag it into the discussion on DNS pinning.
*** Bug 205148 has been marked as a duplicate of this bug. ***
->darin
Assignee: mstoltz → darin
Note that the patch in bug 205726 (nsDnsService rewrite) contains a preference
to disable DNS pinning (default remains enabled).
Depends on: 205726
ok, now that the patch for bug 205726 has landed, DNS pinning is now a think of
the past.  this bug is fixed (note: on the trunk only).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
V fixed.
Status: RESOLVED → VERIFIED
QA Contact: bsharma → benc
You need to log in before you can comment on or make changes to this bug.