The attacks rely on the long-term caching policies of some browsers and take advantage of the collisions that can occur when two different networks use the same non-routable IP address space, which happens fairly often because the amount of address space is quite small. The bottom line is that even a moderately skilled attacker has the ability to compromise remote machines without the use of any vulnerability or weakness in the client software.
“If you’re even vaguely clever, developing this might take you two hours. It’s not that difficult,” said Robert Hansen, the researcher who wrote about the attacks in a white paper published this week, called “RFC1918 Caching Security Issues.” Hansen, who is better known in the security community as Rsnake, worked out the techniques through research and discussions with fellow researchers Amit Klein and HD Moore over the course of several weeks. RFC1918 refers to an IETF specification developed in 1996 for private intranets.
“All you need is a mediocre amount of intelligence about VPNs, a mediocre understanding of how to inject iFrames, the ability to run a backdoor and a command and control server. Put all of that together and maybe it’s considered hard. All of the pieces are there, it’s just a matter of putting them together,” Hansen said.
One of the things that makes this technique possible is the widespread use of non-routable IP address space for corporate intranets. Many companies use IP addresses that are not routable from the public Internet for their intranets, a tactic that is meant to protect the networks from attack. But because the amount of non-routable IP address space most commonly used for intranets is so small–about 1280 addresses, Hansen estimates–collisions between networks often occur. And because some popular browsers will cache credentials and IP addresses for a long time, an attacker can take advantage of these circumstances to gain control of user PCs.
And, as Hansen discovered, the browser cache is a hidden jewel for attackers looking to remain undetected for a long time.
“The cache is a nice place to store persistent attacks long term. If you store it in the cache, in order to find it you’d have to go through every file to find the one that’s going to be exploitable,” he said. “It’s difficult to do and it’s a huge pain to recover from. Forensics on this is a nightmare because attackers can cause the cache to be flushed if they so desire.”
“This happens in the wild all the time. People just don’t realize it,” Hansen said. “The man-in-the-middle variant requires a little more work because you have to do ARP spoofing or break into something upstream. It’s not super-hard but it requires a little more work than the VPN one.”
*VPN diagram via www.sectheory.com