Vulnerabilities in the way websites resolve email domains have left many sites open to DNS attacks that can lead to account hijacking, new research shows.
In a study of 146 web applications, Timo Longin, security researcher at SEC Consult, found misconfigurations that malicious actors could exploit to redirect password reset emails to their own servers.
DNS cache poisoning
Most websites have a ‘forgotten password’ feature that sends a message to the user’s email with a link or one-time passcode enabling them to reset their password or regain access to their account. The goal of the study was to find out whether an attacker could force the application to send these emails to an arbitrary server.
For this to happen, the attacker must carry out DNS cache poisoning, where the domain name of the target user (e.g., gmail.com or example.com) is resolved to the IP address of a server the attacker controls.
The study was focused on two well-known and well-documented attacks. One is known as the ‘Kaminsky attack’, named after late security researcher Dan Kaminsky, who reported it first in 2008. The Kaminsky attack takes advantage of low-entropy port assignment in web servers to intercept DNS resolution requests and send forged responses.
The second technique, known as an IP fragmentation attack, was first reported in 2013. In this scheme, the attacker takes advantage of the limited buffer size of server responses to send malicious packets.
“In internal security assessments, it is common practice to exploit the ‘forgot password?’ feature of internal web applications to obtain password reset URLs in emails,” Longin told The Daily Swig.
“This is easy to do in a local network, as malicious-in-the-middle attacks can be done using ARP spoofing to redirect password reset emails sent by web applications to the attacker. Based on this attack vector, and with the potentially devastating consequences in mind, an attempt was made to apply this concept to web applications on the internet.”
Malicious DNS responses
Longin analyzed the DNS resolution process of 146 web applications. He set up his own domain and authoritative DNS server (ADNS) and developed his own DNS proxy to resolve domain names, along with a tool for logging DNS responses.
He then manually registered users on each website using subdomains of his custom domain and logged the responses to different attack schemes.
After 20 hours of registering users and hundreds of hours of analyzing the logs, he found two applications to be vulnerable to Kaminsky attacks and 62 vulnerable to IP fragmentation attacks.
“DNS attacks via IP fragmentation are probably not as known as, for example, the Kaminsky attack. I had to take a deep look into this topic to actually find out that IP fragmentation attacks are a thing,” Longin said, adding that IP fragmentation attacks are very complex and not that easy to exploit.
He also pointed out that “protection against IP fragmentation attacks most of the times doesn’t come right out of the box. Meaning that some configuration effort may be required.”
One common problem he observed in vulnerable servers was the absence or misconfiguration of security features such as DNSSEC and DNS cookies. Interestingly, these are features have existed for years but continue to be ignored by server administrators.
Protecting web servers
Due to ongoing disclosure and patching processes, SEC Consult did not release the names of the vulnerable websites.
While the study comprises 146 web applications, many others are certain to be vulnerable, Longin warns. Using large DNS providers such as Google, Cloudflare, and Cisco can help to protect sites as these providers are quick to implement security measures.
But a reliable DNS provider is not enough to stop attacks. The DNS resolution process involves many parties and there are many ways things can go wrong.
SEC Consult has released DNS Reset Checker, an open source tool that assesses the security of DNS resolvers of web applications. Longin also suggests using guidelines from Google and DNS Flag Day to secure DNS resolution processes.
Source: https://portswigger.net/daily-swig/dozens-of-web-apps-vulnerable-to-dns-cache-poisoning-via-forgot-password-feature