General Spoofing

Previous page
Table of content
Next page

Spoofing occurs when an attacker is able to forge information used by the target program, as the Caller ID example demonstrates . Following are good examples of items that are commonly spoofed:

  • Internet Protocol (IP) addresses

  • Media Access Control (MAC) addresses

  • Protocols

    • Reverse Domain Name Service (DNS) lookups

    • Simple Mail Transfer Protocol (SMTP) e-mail messages

    • Hypertext Transfer Protocol (HTTP) Referer header

    • HTTP User -Agent header

IP Address Spoofing

For many people, when spoofing is mentioned the first thing that comes to mind is IP address spoofing. The idea of IP address spoofing is commonly known, but less widely understood . A network packet is composed of two main parts : the header and the body. The header contains the source and destination IP addresses, the source and destination port numbers , and a few additional flags. The body contains the data. The difference between Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets greatly affects the ease with which the IP address in the packet can be forged.

TCP

TCP provides a reliable means of communicating over a network. Reliability is partly ensured by assigning sequence numbers to data packets so that both the client and server know which numbered packet in the sequence should arrive next . A TCP connection involves a three-way handshake to indicate that communication between sender and receiver can take place.

The TCP three-way handshake  

The TCP three-way handshake involves the following steps:

  • Client sends a synchronize request (SYN) that includes an initial sequence number (ISN) for client packets.

  • Server responds with a synchronize/acknowledgment packet (SYN/ACK). This includes the server s ISN and acknowledges the SYN sent in step 1.

  • Client responds with an acknowledgment (ACK) of the data sent in step 2.

For secure communications, an attacker should not be able to determine the ISN. If an attacker determines the ISN, the attacker can send information to one side of the connection (either to the client or server) using a spoofed IP address. When a packet is crafted entirely by the attacker, the attacker can forge its contents. By using the correct ISN, the attacker can send the packet so that it appears to be the packet expected next in the sequence and is treated accordingly .

It is the responsibility of the operating system to ensure the ISN is not determinable. In 2001, Michal Zalewski wrote a paper titled Strange Attractors and TCP/IP Sequence Number Analysis ( http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm ) detailing the entropy of ISN generation by various operating systems. After the paper s release, several vendors changed their ISN generators to address randomness issues. A year later, Zalewski followed up with a paper titled Strange Attractors and TCP/IP Sequence Number Analysis ”One Year Later ( http://lcamtuf.coredump.cx/newtcp/ ) and reported that, regardless of the changes made, many operating systems still had issues with the randomness of ISN generation.

Although it is possible to spoof TCP packets, it usually isn t simple, and it enables sending data only to one side of the connection (and not receiving the response). Application security models should not rely solely on the source IP address for decisions that affect security. For example, some systems give the user administrative privileges on the Web server if the connection comes from a certain IP address. If the target is important enough, an attacker will attempt to spoof the IP address to perform privileged operations on the server that only a trusted IP address is allowed.

Important  

It is the responsibility of the operating system to mitigate TCP spoofing. Applications must be careful about features that trust data based on its source IP address. A common defense-in-depth measure is to allow incoming connections only from specified IP addresses. An example is the UNIX TCP Wrapper functionality that limits connections to certain services based on IP address. It is useful to check the source IP address as a defense- in-depth measure, but do not base a program s security on it.

Important  

To identify authenticated users Web applications often use a numeric or alphanumeric value stored in a cookie, URL parameter, or hidden form field. Similar to spoofing TCP packets by determining the sequence number, if an attacker can determine the value used by the Web application for a logged-in user, the attacker can send the value and spoof being the logged-on user to gain access to the Web application.

UDP

Unlike TCP, UDP connections do not involve a handshake and packets are not acknowledged by the recipient. Although this makes UDP an unreliable protocol, it makes it a much faster way to transmit data. It also means that the source IP address in the UDP packet can be trivially spoofed. If a program accepts UDP packets, there isn t much preventing an attacker from sending spoofed packets to the program.

MAC Address Spoofing

Network equipment is assigned a unique MAC address by its manufacturer. On an Ethernet network, the MAC address is used to uniquely identify hosts. To take advantage of this unique assignment, some networks allow only legitimate hosts with known MAC addresses onto the network and reject all others. This is known as MAC filtering and is common on many wireless access points.

MAC filtering doesn t keep determined unwanted people off the network though. If an attacker controls a network device, the attacker can spoof the device s MAC address and substitute an address that is allowed on the network. For instance, an easy way to modify a MAC address in the Microsoft Windows operating system is to use Mac MakeUp ( http://www.gorlani.com/publicprj/MacMakeUp/macmakeup.asp ).

Verify that applications don t contain features that base security solely on the MAC address. Applications that use this type of security model are usually easy to find because they ask the user to enter trusted MAC addresses.

Important  

Spoofing a MAC address can enable an attacker to steal someone else s IP address on the local area network (LAN). Connections between computers on the LAN are made based on the MAC address. If an attacker knocks the victim s computer off the network through a denial of service attack, the attacker can assume the victim s IP by spoofing the victim s MAC address.

Spoofing Using Network Protocols

Many network protocols allow an attacker to spoof information within the body of the packet. The following are some types of data commonly spoofed within the body of a packet:

  • Reverse DNS lookups

  • SMTP e-mail messages

  • HTTP Referer header

  • HTTP User-Agent header

Reverse DNS Lookups

Numeric IP addresses can be converted to human-readable domain name addresses by performing a reverse DNS lookup. For example, 192.0.34.166 could be converted to www.example.com . When the reverse lookup is requested , the DNS server responsible for the IP address isqueried for the domain name address. The address returned can be any domain name specified by the DNS server. It is possible for the forward lookup (conversion of a domain name to an IP address) and the reverse lookup information not to match. For example, performing a forward lookup on www.example.com returns 192.0.34.166, but when a reverse lookup is performed on 192.0.34.166, the DNS server hosting records for 192.0.34.* could return the domain name address www.blueyonderairlines.com .

Reverse lookup information is used to make security decisions. Sometimes applications allow connections only from certain domain names (determined by the reverse DNS information). Other applications use reverse DNS lookups for logging information. When incorrect reverse lookup information is provided, problems can arise.

For example, to make log files more easily readable some programs log the information returned through a reverse lookup instead of the source IP address of the client that connects. This information appears as friendly domain names in the log file; for example, www.microsoft.com instead of 207.46.18.30 would be listed in the log file. This feature means that the connections made are not being logged properly. If you are testing a program that does this, report the bug! It is important to log the numeric IP addresses. If you find the reverse lookup information useful, log that, too.

No application should rely on reverse DNS information to be correct because attackers often can control the reverse lookup information for their domain name. The following graphic helps illustrate how an attacker could pull off a reverse DNS lookup spoofing attack:

image from book
Important  

Attackers often can legitimately control the reverse lookup information for their domain.

SMTP E-mail Messages

The most common way to send e-mail is by using SMTP, which doesn t require the sender to authenticate. Because authentication is not required, anyone can send a message to any address and claim that it was sent from any address the sender specifies. For this reason, users and programs should not trust that an e-mail truly comes from the address listed in the From field.

Tip  

Digital signatures can be used to verify the sender of an e-mail message is who the message claims it is.

SMTP requires that the sender specify the recipient s address using the RCPT TO command; the sender s address is specified using the MAIL FROM command. An attacker can specify any address using the MAIL FROM command, allowing the attacker s mail to appear to come from that e-mail address.

A mail message can be spoofed by connecting to an SMTP server on port 25 and issuing the following commands. To connect to port 25 on the SMTP server, type telnet <yourservername> 25 at the command prompt. Once connected, type the following commands: 

 Server: 220 server ESMTP Client: HELO example.com Server: 250 pleased to meet you Client: MAIL FROM: <someone@microsoft.com> Server: 250 2.1.5 <someone@microsoft.com>... Sender ok Client: RCPT TO: <you@yourdomain.com> Server: 250 2.1.5 <you@yourdomain.com>... Recipient ok Client: DATA Server: 354 Enter mail, end with "." on a line by itself. Client: This is a spoofed e-mail! Client: . Server: 250 2.0.0 jAQ6rr0i794836 Message accepted for delivery
Important  

Because SMTP messages are not authenticated, there is widespread abuse of the system with spoofing. Many spammers employ spoofing techniques when they send bulk e-mail messages. To help mitigate this problem, most SMTP servers stamp the IP address of the machine originating the e-mail in the e-mail headers.

HTTP Referer

As mentioned in Chapter 4, Becoming a Malicious Client, any data included as part of an HTTP request can be forged. An optional part of the request is the Referer header. (Recall that Referer is misspelled in this text to match the misspelling in the HTTP specification.) This header s value contains the URL of the page that requested the URL.

Important  

Spoofing data contained within an HTTP request can be accomplished by using the techniques discussed in Chapter 4.

Sometimes developers rely on the Referer s value as a way to prevent other Web sites from linking to images on their site or to keep third-party servers from hosting HTML forms that submit to scripts on their servers. If the Referer s value isn t a URL for the current Web site, the request originated from another site and the Web request is rejected. One popular script that used this logic was Matt Wright s FormMail script ( http://www.scriptarchive.com/readme/formmail.html ).

FormMail is a freely available Perl script that is used to add e-mail Web form functionality to a Web site. When the Web form is filled out and submitted, its contents are sent to the e-mail address contained in a hidden form field. To prevent other sites from hosting forms that submit to it, the Referer header is verified against a list of allowed referrers.

Spammers figured this out and exploited the vulnerability by sending custom form submissions with a spoofed HTTP Referer, a spam message as the contents of the form, and the target of the spam as the hidden field e-mail address. This attack was possible because all three fields were part of the packet s body and under full control of the attacker.

HTTP User-Agent

Another part of the HTTP request that can be spoofed is the User-Agent header. This header is used to tell the Web site which browser is requesting the page. An attacker can modify the User-Agent header sent by the client to cause the server to consider the attacker s browser to be something other than it is. Why is this important? Sometimes Web sites respond differently depending on what type of user agent makes a request. For example, some Web sites require visitors to be members to view the full contents of the site. However, these Web sites still want search engines to index the site content without having a member account. To allow this, these Web sites have a back door of sorts. If a search engine is indexing the site, the Web site allows membership checks to be bypassed. Because search engines have a custom user agent string, sometimes the determination of whether to bypass the membership check is based on the User-Agent header value. If this is the case, attackers can gain access to the site without a membership if they spoof the User-Agent header and provide a string used by a popular search engine.


Previous page
Table of content
Next page
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Tom Gallagher, Lawrence Landauer, Bryan Jeffries
BUY ON AMAZON
Java I/O
Project Management JumpStart
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Special Edition Using Crystal Reports 10
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy