Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/18/2007
07:13 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hack Sneaks Past Firewall to Intranet

Black Hat researcher will demonstrate yet another way to use DNS pinning bug to get inside the corporate network

The DNS pinning bugs just keep coming: A researcher has proven you can bypass the corporate firewall by converting the victim's browser into a proxy server. (See Old Flaw Threatens Web 2.0.)

David Byrne, security architect for EchoStar Satellite, will demonstrate next month at Black Hat USA how the DNS pinning (a.k.a. DNS rebinding) vulnerability in Java can be used to leap past the perimeter firewall and access the corporate intranet. The browser basically becomes a proxy server for the attacker.

"Everyone is at risk, and for a long time they've been relying on their network firewalls to protect them from an attack like this," Byrne says. "This is one method of bypassing perimeter firewalls... In the end, you can't completely trust your perimeter firewalls."

DNS pinning/rebinding is not a new vulnerability, but it will be one of the big topics at Black Hat, thanks to a resurgence of research on the bug in the past few months. It's found in browsers, Java, Flash, and Adobe, and has some serious implications for Web 2.0-type apps that pack more code and action onto the client.

Another Black Hat researcher, Dan Kaminsky, director of penetration testing for IOActive, will demonstrate a proof-of-concept exploit that lets attackers set up a VPN connection straight to the victim's corporate network.

Byrne's approach to exploiting the bug is different. He has written a tool that automates changes to DNS and firewall rules, as well as for sending commands to the attack payload. He'll first show a JavaScript-based attack/payload that "tunnels" HTTP traffic to any server on the victim's corporate network. It will exploit cross-site scripting, SQL injection, and other server flaws to extract sensitive data.

Next he'll use a JavaScript-Java applet combination to turn the browser into a Web proxy, providing access inside. Most protocols (not just HTTP) can be tunneled this way -- through the browser to the intranet, Byrne says.

"I’ll also discuss how payloads can be created in Adobe Flash, and in pure Java" rather than JavaScript, he says. Byrne's presentation will be on Wednesday, August 1.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • EchoStar Satellite LLC
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    Exploiting Google Cloud Platform With Ease
    Dark Reading Staff 8/6/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-16168
    PUBLISHED: 2020-08-07
    Temi firmware 20190419.165201 does not properly verify that the source of data or communication is valid, aka an Origin Validation Error.
    CVE-2020-8025
    PUBLISHED: 2020-08-07
    A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the p...
    CVE-2020-8026
    PUBLISHED: 2020-08-07
    A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior...
    CVE-2020-16219
    PUBLISHED: 2020-08-07
    Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
    CVE-2020-16221
    PUBLISHED: 2020-08-07
    Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.