[ISN] ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses

From: InfoSec News (alerts@private)
Date: Sun Apr 20 2008 - 22:29:11 PDT


http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html

By Ryan Singel 
Threat Level
Wired.com
April 19, 2008

Seeking to make money from mistyped website names, some of the United 
States' largest ISPs instead created a massive security hole that 
allowed hackers to use web addresses owned by eBay, PayPal, Google and 
Yahoo, and virtually any other large site.

The vulnerability was a dream scenario for phishers and cyber attackers 
looking for convincing platforms to distribute fake websites or 
malicious code.

The hole was quickly and quietly patched Friday after IOActive security 
researcher Dan Kaminsky reported the issue to Earthlink and its 
technology partner, a British ad company called Barefruit.  Earthlink 
users, and some Comcast subscribers, were at risk.

Kaminsky warns that the underlying danger lingers on.

"The entire security of the internet is now dependent on some random-ass 
server run by some British company," Kaminsky said.

At issue is a growing trend in which ISPs subvert the Domain Name 
System, or DNS, which translates website names into numeric addresses.

When users visit a website like Wired.com, the DNS system maps the 
domain name into an IP address such as 72.246.49.48. But if a particular 
site does not exist, the DNS server tells the browser that there's no 
such listing and a simple error message should be displayed.

But starting in August 2006, Earthlink instead intercepts that 
Non-Existent Domain (NXDOMAIN) response and sends the IP address of 
ad-partner Barefruit's server as the answer. When the browser visits 
that page, the user sees a list of suggestions for what site the user 
might have actually wanted, along with a search box and Yahoo ads.

The rub comes when a user is asking for a nonexistent subdomain of a 
real website, such as http://webmale.google.com, where the subdomain 
webmale doesn't exist (unlike, say, mail in mail.google.com). In this 
case, the Earthlink/Barefruit ads appear in the browser, while the title 
bar suggests that it's the official Google site.

As a result, all those subdomains are only as secure as Barefruit's 
servers, which turned out to be not very secure at all. Barefruit 
neglected basic web programming techniques, making its servers 
vulnerable to a malicious Javascript attack.  That meant hackers could 
have crafted special links to unused subdomains of legitimate websites 
that, when visited, would serve any content the attacker wanted.

The hacker could, for example, send spam e-mails to Earthlink 
subscribers with a link to a webpage on money.paypal.com. Visiting that 
link would take the victim to the hacker's site, and it would look as 
though they were on a real PayPal page.

Kaminsky demonstrated the vulnerability by finding a way to insert a 
YouTube video from 80s pop star Rick Astley into Facebook and PayPal 
domains. But a black hat hacker could instead embed a password-stealing 
Trojan. The attack might also allow hackers to pretend to be a logged-in 
user, or to send e-mails and add friends to a Facebook account.

Earthlink isn't alone in substituting ad pages for error messages, 
according to Kaminsky, who has seen similar behavior from other major 
ISPs including Verizon, Time Warner, Comcast and Qwest. Earlier this 
month, Network Solutions, one of the net's largest domain name 
registrars, was caught creating link farms on nonexistent subdomains of 
websites owned by its own customers.

DNS expert Paul Vixie, who is the president of the nonprofit Internet 
Systems Consortium, says the problem Kaminisky found isn't with the core 
internet protocols, which he could fix, but instead is a "problem 
exacerbated by inappropriate monetization of certain DNS features."

Vixie compared this ISP behavior to Verisign's 2003 Site Finder project, 
which it unilaterally launched in September 2003 and then shut down a 
month later.

In that case, VeriSign, which controls the sales of .com and .net 
top-level domains through a contract with the U.S. government, began 
directing users who mistyped domains names to its own servers, where it 
presented paid search results.

The move outraged the technical community and eventually led to an ICANN 
commission report (.pdf) condemning the practice and an unsuccessful 
VeriSign lawsuit against ICANN.

"Sitefinder showed that [Non-Existent] domain re-mapping is bad for the 
community," Vixie said. "This would be an example of why it is bad."

While Barefruit fixed the immediate Javascript hole, the underlying 
problem -- that large ISPs are ignoring a core internet practice to make 
money and pretending to be sites that don't exist -- means every site on 
the net remains vulnerable in ways they have no control over, according 
to Kaminsky.

Kaminsky said he'd talked this week to many internet companies who were 
pissed, though not at him.

"I can't secure the web as long as ISPs are injecting other content into 
web pages," he said.

The hole shows the risks of allowing ISPs to violate Net Neutrality 
principles that seek to keep the internet a series of dumb pipes, 
according to Kaminsky.

"There's no contractual obligation for ISPs not to change content and 
inject ads," Kaminsky notes.

For its part, Earthlink says the Barefruit ad pages are useful to users.

"We offer DNS error functionality for our customers through Barefruit to 
enhance our users' experience, and we work closely with Barefruit to 
provide a safe and convenient way for them to find the destination 
they're looking for online," Earthlink spokesman Chris Marshall said via 
e-mail. "We believe that the service provides a positive experience for 
our Internet users."

Barefruit echoes the sentiment.

"Barefruit endeavors to ensure online security while providing an 
improved internet user interface by replacing unhelpful and confusing 
error messages with alternatives relevant to what the user was seeking," 
Barefruit's Dave Roberts said via e-mail.

For Vixie, however, the issue is simple.

"I really feel if someone goes to a website that does not exist, they 
ought to see an error message," Vixie said.

Earthlink customers who do not wish to use the service can instead use 
different Earthlink DNS servers. Anyone can also use OpenDNS, a start-up 
that also provides ad pages on domains that don't resolve, but does so 
without pretending to be the other site.

The news of the massive security breach by compromising net nuetrality 
for profit comes just two days after the Federal Communication 
Commission held a hand-wringing public forum at Stanford University over 
whether it should punish Comcast for its violation of standard internet 
practices. The broadband provider was caught sending fake packets to its 
users in order to reduce the bandwidth consumed by peer-to-peer 
applications.

Kaminsky is demoing the hole publicly on Saturday at the Toorcon 
security conference in Seattle.

Kaminsky, a well-respected security expert, is perhaps best known for 
cleverly proving that a spyware rootkit Sony included on music CDs 
infected computers in more than half a million computer networks in 
2005.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Sun Apr 20 2008 - 22:48:35 PDT