Java Socket Restrictions, Proxy Servers, and the URLConnection
In early October, Sun updated the Java Runtime Environment (JRE) to close some of the gaping holes in the handling of network connections: Security Vulnerabilities in Java Runtime Environment May Allow Network Access Restrictions to be Circumvented. As a result, the ever popular DNS rebinding and document.domain bypass vectors were effectively shut down. The JRE now attempts to validate that the network address and hostnames are linked when establishing socket connections (see the end of my Attacking the Tor Control Port with Java for more discussion and a network trace).
Of course, it is possible that these changes have not been effective. There may yet be some means of bypassing the restrictions either through DNS rebinding or the document.domain exception. The comments in the code seem to indicate the solution is not fully baked.
From InetAddress.java:
//XXX: if it looks a spoof just return the address?
if (!ok) {
From SocketPermission.java:
// XXX: if all else fails, compare hostnames?
// Do we really want this?
One of the other points of attack in DNS rebinding exploits are proxy servers. The latest JRE (6u3) seems to take a different code path when a proxy has been explicitly configured through the network settings:
Arbitrary socket connections are still not permitted, but connections made through the URLConnection class are allowed. The setRequestProperty can be used to set HTTP header values, but depending on the proxy that you are going through these may be adjusted. Remember, the proxy is the one making the request.
I've only tested using the document.domain exception bypass and LiveConnect, but I would assume that something similar can be performed using a DNS rebinding approach and applets. Also, I haven't fully investigated the impact of the "Bypass proxy server for local addresses" option.
I've put up an online demonstration. You'll need Firefox, a 1.6 JRE, and a proxy server with a locally configured web server. The demo attempts to connect to the local web server by requesting the root document through the proxy.