Archive for the ABE Category

Web-based router hacking is hardly a new topic, but new variants pop up from time to time.

The most obvious attacks against a router which malicious web sites can pull are CSRF, XSS and DNS Rebinding. Of course changing the default password of your router helps mitigating these threats a lot, but unfortunately it's not enough if you happen to be already logged in the administrative console, or if your device is affected by any of the commonplace holes which are left open by an unsafe development attitude, on the flawed assumption that just because a vulnerable service is not exposed on the internet side it can't be reached by an internet attacker (see this HNAP D-Link Hack for a glaring example).

NoScript's ABE module has been protecting routers and intranet web resources against this kind of attacks for a long time, thanks to the following built-in SYSTEM rule:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

However security researcher Craig Heffner, interviewed by Andy Greenberg on his "The Firewall" Forbes blog, recently announced a new DNS Rebinding variant which can be used to remotely control your router and (the scary part) allegedly bypasses the defenses provided by NoScript against this class of attacks.

Even though the details are still to be presented -- together with an automated attack tool! -- at the BlackHat USA 2010 conference (today or tomorrow), al_9x, one of the most active members of the NoScript community, provided a very convincing speculative assessment of the new threat, based on the sparse data found in this briefing summary, and also a simple and clever suggestion for a remedy:

Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.

I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.

And so it does now :)

Since version 2.0rc5, released past week, NoScript detects your public (WAN) IP by sending a completely anonymous query on a secure channel to https://secure.informaction.com/ipecho, then treats it as a local address when enforcing its policies against CSRF and DNS Rebinding.

There are a few optimizations, meant to reduce the traffic to less than two hundreds of bytes per user per day (and prevent my servers from melting down), but if you do notice this background request, now you know what it is about (it is also mentioned in the NoScript's Privacy Policy, BTW). This new feature, enabled by default, can be disabled at any time by clearing the NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL checkbox *.

Now, let's just hope al_9x's guess is correct.
I'm quite confident it is, but if it's not, expect a brand new ABE protection feature in a week or so, anyway :)

Update

Looks like al_9x was entirely correct, indeed :)

* Note for network administrators

This feature tries to be nice: device fingerprinting can be turned off by sending a "X-ABE-Fingerprint: Off" HTTP header, and fingerprinting requests are identified by a "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" User-Agent header. Furthermore, custom local subnets or IPs can be configured as a space-separated list in the noscript.abe.localExtras about:config preference.

Interesting idea by Samy (yes, that Samy):

Here is a proof of concept in what I'm calling NAT Pinning ("hacking gibsons" was already taken). The idea is an attacker lures a victim to a web page. The web page forces the user's router or firewall, unbeknownst to them, to port forward any port number back to the user's machine. If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

In short, he exploits a smart mechanism in modern network equipment, which graciously and "magically" NATs on the fly arbitrary ports when certain handshake patterns are detected in outbound traffic, allowing (usually older) protocols which require a "call back" connection (like FTP, IRC or SIP) to work properly.

Good news is that ABE can prevent exploitation without hampering the useful functionality. If you're concerned about this issue, you just need to open NoScript Options|Advanced|ABE and edit the "USER" ruleset, adding the following rule:

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]
Deny

Bad news is that Java, Flash, Silverlight and maybe other plugins can open raw sockets bypassing any browser control, including ABE. Just another reason to keep them at bay.

Thanks to Thoughtcrime for bringing this to my attention, and to Samy for the chat we had this afternoon.

Seven months ago Andy Steingruebl, PayPal's Secure Development Manager, contacted me to know whether a future NoScript version could support server-side activation of its HTTPS-enforcing features, preferably with a more robust approach than the cookie-based one seen in the original Barth & Jackson's "ForceHTTPS" proof-of-concept. Such a potential development had obvious positive implications for e-commerce businesses and secure websites in general, hardening them against session hijacking attacks. I proposed a X-Force-HTTPS response header, to be ignored if coming through an insecure connection, otherwise switching on or off the "HTTPS-only" policy for the sending host. A dedicated persistence mechanism on the client side, immune from any accidental or malicious override, was meant to overcome the obvious intrinsic limits of cookies. The discussion seemed to die there, though.

Three months later, on May the 1st 2009, Steingruebl sent me another email, introducing Jeff Hodges, a PayPal security researcher who was preparing a specification draft for a refined "X-Force-HTTPS" header, renamed as X-Force-TLS. They were hoping to get a reference implementation in NoScript, and I would have really liked to help, but the timing could not be worse: I was already working around the clock for the first ABE public release, due on May the 25th, and as if that wasn't enough, just some hours earlier the Adblock Plus "scandal" had exploded all over the Internet, taking away the peace of mind required to sustain NoScript's traditionally allegro development rhythm. So, after releasing ABE, I spent my summertime focusing on its user-driven stabilization, and the X-Force-TLS sub-project went in the fridge. In the meanwhile an experimental implementation had been provided by Sid Stamm as a standalone extension for Firefox. Sid is a Mozilla guy who's very active on CSP as well, so this might be seen an encouraging hint to future support in the core browser.

However one week ago the security staff of a (quite easy to guess) leader Asian e-commerce player, which has been closely following the development of NoScript's "WebAppSec-oriented" features such as ABE, ClearClick and Anti-XSS Injection Checker, asked me whether I could estimate a date for implementing a server-side switch mechanism for HTTPS enforcement, just like the one discussed earlier with PayPal. They were eager to deploy this kind of protection as soon as possible, even in October, as part of a client security campaign involving a "Safest with Firefox + NoScript" recommendation. Therefore I decided to unfreeze my own X-Force-TLS implementation and, after a quick assessment, I committed to inclusion in NoScript 1.9.8.9, scheduled for release this week. As an incredible coincidence, on day later I noticed a message from Jeff Hodges on the WHATWG mailing list, announcing the Strict Transport Security draft, a more formal and public "X-Force-TLS" header proposal, renamed again as Strict-Transport-Security and about to be implemented in the not-too-distant future by Chrome, too. So I immediately forwarded the exciting news to the interested Asian party and made the necessary HTTP header renaming in my code for NoScript 1.9.8.9, announcing its impending release.

And here we are, with NoScript providing the first public Strict-Transport-Security user agent implementation. If you're in charge of a secure web site, please refer to the aforementioned specification to increase the reliability of your SSL deployment. If you're a NoScript user, just keep relying on it as always, knowing that your online transactions are going to become safer during the incoming months, as adoption among secure web properties grows. And if you're a power user and you prefer not to wait for them, don't forget that NoScript can already force any website to use secure connections only, at your whim.

Many people use their hosts file for resources blocking purposes, especially against ads or known malicious sites.

Since your hosts file takes precedence over your DNS in domain name resolution, you can redirect undesired domain to invalid IP addresses, saving both bandwidth and CPU because resolved IPs are cached.

Unluckily, most information sources about this useful technique, including the Wikipedia article above, instruct the reader to use 127.0.0.1 (the local loopback IP) as the dead-end destination, rather than a truly invalid address such as 255.255.255.0. This is not very smart, especially if you installed a web server on the loopback interface (like many web developers do), because you're spamming it with dummy requests whenever you browse an ad-laden web site.

Furthermore, I'm currently receiving several reports about ABE warnings popping up everywhere. If you read my post about ABE yesterday, you know that it ships with a built in "SYSTEM" ruleset containing just one rule which alone implements the whole LocalRodeo functionality:

# Prevent Internet sites from requesting LAN resources. Site LOCAL Accept from LOCAL Deny

Such a rule blocks any HTTP request for resources placed in your local network, including localhost (127.0.0.1) and any other LAN IP, unless it is originated from your local network as well. This protects your internal servers and devices (e.g. routers and firewalls exposing web interfaces) against CSRF and XSS attacks performed from the internet.

As a side effect, though, if you're redirecting arbitrary hosts to 127.0.0.1, you'll get bombed by a storm of ABE warnings whenever those sites are linked from external web sites. The solution is simple: just open your host file and replace

127.0.0.1

with

255.255.255.0

everywhere it's used to block something, but being careful to keep

127.0.0.1

on the

localhost

entry and other really local domains, if any.

Update:

NoScript 1.9.5.5 beta automatically suppresses notifications for the commonest case covered here (HTTP requests for a domain name resolving to 127.0.0.1 on the default port), and also introduces an option to disable all ABE notifications.

ABEI'm pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.

It's been quite a long development journey since my first announcement, made possible by NLNet's foresight, and it required more than one month of beta testing: among the thousands of testers victims I inflicted twenty builds upon, I must especially thank therube, GµårÐïåñ, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo "Sirdarckcat" Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.

Great but.. now that I've got ABE, what can it do for me?

If you've got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you'll notice a new "ABE" tab in NoScript Options|Advanced. There you can find a list of the loaded "Rulesets", i.e. groups of firewall-like rules (syntax specification PDF).
Rulesets can be:

  1. Built-in like the "SYSTEM" ruleset, shipping with ABE and meant to provide automatic protection against "general" threats; you don't want to edit them unless you know exactly what you're doing.
  2. User-defined like the "USER" ruleset, which is empty for you to customize according to your needs.
  3. Subscription-provided, coming from a centralized location which delivers "trusted" rules (not supported yet).
  4. Site-specific, created and made automatically available by site developers or administrators to protect their own web applications.

All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.

Drop-in LocalRodeo replacement

The "SYSTEM" built-in ruleset currently contains just one rule definition:

Site LOCAL
Accept from LOCAL
Deny

This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you've heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it's not limited to this specific attack scenario: if you're using both NoScript and LocalRodeo, it's time to uninstall the latter.

ABE for web authors

While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
Just deploy your

rules.abe

file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
More details here.

Bad Behavior has blocked 1271 access attempts in the last 7 days.