Client-Side Name Collision Vulnerability in the New Gtld Era: a Systematic Study
Total Page:16
File Type:pdf, Size:1020Kb
Session D5: Network Security CCS’17, October 30-November 3, 2017, Dallas, TX, USA Client-side Name Collision Vulnerability in the New gTLD Era: A Systematic Study Qi Alfred Chen, Matthew Thomas†, Eric Osterweil†, Yulong Cao, Jie You, Z. Morley Mao University of Michigan, †Verisign Labs [email protected],{mthomas,eosterweil}@verisign.com,{yulongc,jieyou,zmao}@umich.edu ABSTRACT was recently annouced (US-CERT alert TA16-144A), which specif- The recent unprecedented delegation of new generic top-level do- ically targets the leaked WPAD (Web Proxy Auto-Discovery) ser- mains (gTLDs) has exacerbated an existing, but fallow, problem vice discovery queries [79, 87]. In this attack, the attacker simply called name collisions. One concrete exploit of such problem was needs to register a domain that already receives vulnerable internal discovered recently, which targets internal namespaces and en- WPAD query leaks. Since WPAD queries are designed for discover- ables Man in the Middle (MitM) attacks against end-user devices ing and automatically conguring web proxy services, exploiting from anywhere on the Internet. Analysis of the underlying prob- these leaks allows the attacker to set up Man in the Middle (MitM) lem shows that it is not specic to any single service protocol, but proxies on end-user devices from anywhere on the Internet. little attention has been paid to understand the vulnerability status The cornerstone of this attack exploits the leaked service dis- and the defense solution space at the service level. In this paper, covery queries from the internal network services using DNS- we perform the rst systematic study of the robustness of internal based service discovery. With over 600 services registered to sup- network services under name collision attacks. port DNS-based service discovery [41], the name collision prob- We rst perform a measure study and uncover a wide spectrum lem seems likely to be much broader than the WPAD service alone. of services aected by the name collision problem. We then collect However, previous work primarily focus on analyzing and prevent- their client implementations and systematically analyze their vul- ing name collisions at the new gTLD registry and the network lev- nerability status under name collision attacks using dynamic anal- els [44, 87, 95, 102], little attention has been paid to understand ysis. Out of the 48 identied exposed services, we nd that nearly the vulnerability status and the defense solution space at the ser- all (45) of them expose vulnerabilities in popular clients. To demon- vice level. Since services are the direct victims of name collision strate the severity, we construct exploits and nd a set of new name attacks, it is necessary to provide service-level solutions so that collision attacks with severe security implications including MitM they can proactively protect themselves. More importantly, since attacks, internal or personal document leakage, malicious code in- the underlying cause is the domain name resolution in an unin- jection, and credential theft. We analyze the causes, and nd that tended namespace, compared to defenses at other levels, only the the name collision problem broadly breaks common security as- service clients, the actual issuers of the exploited queries, know sumptions made in today’s service client software. Leveraging the the intended namespace and thus have the chance to fundamen- insights from our analysis, we propose multiple service software tally solve the problem. level solutions, which enables the victim services to actively de- In this paper, we perform the rst systematic study of the ro- fend against name collision attacks. bustness of the service client design and implementations under the name collision attack threat model for internal network ser- vices using DNS-based service discovery. Our goal is to systemat- 1 INTRODUCTION ically identify client-side name collision vulnerability in the client software, which causes the client to mistakenly accept the iden- With the unprecendented delegation of new generic top-level do- tity of a name collision attack server. Our results are expected to mains (gTLDs) since late 2013, increasing amounts of leaked in- serve as a guideline for understanding whether and why a certain ternal domain name system (DNS) namespace queries are now client software is vulnerable, as well as providing insights on how resolvable in the public DNS namespace [102]. This has exacer- to mitigate against this emerging class of attacks. To perform the bated a long existing problem, which has been lying fallow, called study, we rst measure the services that are exposed to potential name collisions, in which a DNS query is resolved in an unin- name collisions today by analyzing the leaked queries to the dele- tended namespace [44, 102]. One concrete exploit of such problem gated new gTLDs. Based on the measurement, we form an exposed service dataset with 80 services with high volumes of service dis- Permission to make digital or hard copies of all or part of this work for personal or covery query leaks. Compared to the recent study on the WPAD classroom use is granted without fee provided that copies are not made or distributed service [87], our study for the rst time uncovers the wide spec- for prot or commercial advantage and that copies bear this notice and the full cita- tion on the rst page. Copyrights for components of this work owned by others than trum of services aected by the name collision problem and the the author(s) must be honored. Abstracting with credit is permitted. To copy other- potential security implications. wise, or republish, to post on servers or to redistribute to lists, requires prior specic With the set of exposed services, we manually collect their client permission and/or a fee. Request permissions from [email protected]. CCS’17, Oct. 30–Nov. 3, 2017, Dallas, TX, USA. software, with prioritization for services with higher query leak © 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM. volumes and clients that are more popular among corporate or end 978-1-4503-4946-8/17/10...$15.00 DOI: 10.1145/3133956.3134084 1 941 Session D5: Network Security CCS’17, October 30-November 3, 2017, Dallas, TX, USA users. In total, we are able to collect 57 client implementations cov- on the exposed services today and characterize their designed func- ering 48 exposed services. To systematically perform vulnerability tionality and the potential security implications. analysis, we develop a dynamic analysis framework capable of ana- • We collect the client implementations for the exposed ser- lyzing the clients in a simulated name collision attack environment. vices and systematically analyze their vulnerability status under The analysis is performed by constructing attack server responses, name collision attacks leveraging a dynamic analysis framework. and a vulnerability is revealed if the client accepts the responses Our results show that nearly all the exposed services have popu- and proceeds with the designed service functionality. lar clients vulnerable due to several common design choices. This From the vulnerability analysis, our results reveal that nearly all suggests that the name collision attack threat model broadly breaks (45) of these 48 services have popular clients vulnerable due to sev- common security assumptions made in the service clients today. eral common software design or implementation choices. We nd • Based on the analysis results, we construct exploits and re- that the lack of server authentications, which is also exhibited in port our ndings of a myriad of new name collision attacks with the WPAD exploit, is the root cause for one third of these vulnera- severe security implications, including MitM attack, malicious li- ble services. For the remaining two thirds, their clients do use stan- brary injection, credential theft, etc. These ndings show high end- dard server authentications by default, leveraging TLS certicates to-end exploitability of identied vulnerabilities in practice. or pre-shared keys (PSK). However, nearly all clients using TLS cer- • We identify several fundamental vulnerability causes, in- ticates are found vulnerable due to the default choice of accepting cluding a cause newly introduced by the name collision problem, publicly-valid but previously-unseen certicates from a colliding the lack of namespace dierentiation. Based on the insights, we domain. For the clients using PSK, we nd that majority (88.1%) propose a set of service software level solutions, which enables the of them are vulnerable since they do not enforce server authenti- victim services to actively defend against name collision attacks. cation. We also nd a common vulnerable design choice specic to a previously uncovered but popular use of DNS-based service discovery, Zero-conguration networking (Zeroconf) [14], which 2 BACKGROUND mixes the service discovery in dierent namespaces. These results 2.1 The Name Collision Problem show that even with standard server authentication adopted, the In DNS, a domain name is a set of dot-separated labels that form name collision attack threat model still broadly breaks common se- a tree structure with the DNS root located at the top. The last two curity assumption in today’s internal network service clients. We labels, for example .com and example in www.example.com, are nd that one fundamental cause is the lack of namespace dieren- called the TLD (top-level domain) and SLD (second-level domain). tiation in the current service discovery and server authentication In the DNS ecosystem, the public DNS namespace is for the resolu- methods. This problem is newly introduced by the name collision tion of domain names on the public Internet, and the Internet Cor- problem and it leaves the clients incapable of handling potential poration for Assigned Names and Numbers (ICANN) is the author- name collisions. itative administrator for its DNS root. ICANN delegates the man- To demonstrate the severity of the discovered vulnerabilities, agement of the TLDs to specic TLD registry operators.