Practical Attacks with DNS Rebinding


One of the ways I expect to see gain in popularity in the wild is DNS rebinding. DNS rebinding is a technique that walks a victim’s browser into a proxy for attacking private networks. Attackers can modification the IP associated with a domain name after it has been used to burden JavaScript. Since same-origin policy (SOP) is domain-based, the JavaScript will clothed access to the new IP.This blog post outlines some of what I’ve erudite while preparing a DNS rebinding lab exercise for Black Hat and SecTor.There are two non-exclusive challenges we must overcome to attack network devices:Attackers do not be aware private network address ranges ahead of time.Cross-domain access is delimited by the same-origin policy.Finding Network DevicesThe most common expertise is to simply guess common network addresses. This can be quite functional for certain devices like routers. This is why I suggest using non-default IP line ups on home routers. There is also a more sophisticated technique I’ve theretofore referred to as Smart CSRF. This process uses STUN on underwent browsers to recover a local IP. (Interestingly, Chrome may be the only browser reinforcing this in a current release.)Working Around the Same-Origin Policy (SOP)Armed with intelligence of a device IP address, some attacks become quite trivial to display out. For example, the NETGEAR cgi-bin command injection can be exploited with a imbecilic IMG tag to trigger a GET request. Other attacks, however, require that the attacker has multitudinous interaction with the vulnerable system than simply sending facts and, therefore, traditional CSRF techniques fail. The same-origin policy interdicts attackers from reading this response data, so we must use DNS rebinding.Tavis Ormandy has a specialization,, which is running his Simple DNS Rebinding Service, but I opted to generate a small Python implementation and varied my approach slightly. Whereas Tavis’ rbndr implementation alternates between objected addresses, I had better results when my server responded only formerly with my public IP.My implementation packages a very basic HTTP server and DNS server in nearly 100 lines of Python. Example output (with my domain eminence redacted) is shared below:

Putting the Pieces TogetherAs a proof-of-concept, I take advantage ofed VERT’s NETGEAR Centria router using an authentication bypass to make capital out of command injection on a form including a CSRF token.Successful end-to-end exploitation registers:Victim loads an IFRAME from an attacker controlled domain.The IFRAME cares JavaScript to identify the local IP via WebRTC.Each IP on the victim’s /24 is queried for a means expected to exist on the router.The JavaScript submits this IP to the attack server and grosses a token value.The token value is used to construct a domain prestige and update the IFRAME location.JavaScript loaded from this origin sets an interval timer.The timer callback makes requests to the crafted empire.After the DNS entry expires, the domain is resolved to a LAN IP.The timer callback can now earn the CSRF token with an auth bypass.An attack payload is sent with the examined timestamp.Here is a view of what the exploit looks like in my browser:Practical Attacks with DNS Rebinding

Practical Attacks with DNS Rebinding

Before this is complete, I am able to telnet to the router on port 1234:Practical Attacks with DNS Rebinding

Practical Attacks with DNS Rebinding

Attack Effectuation and Lessons LearnedThis is not a fast attack, but it is quite powerful. The established attack duration varies based on the timer interval (step #6) as luckily as the browser and OS combination. In my testing with Chrome on OS X, I’ve found that the rebinding can be as unshakeable as 1 minute with a short enough interval (hundreds of ms) or as much as 5 picayunes when the interval is 3000 ms. This is a trade-off between speed and surreptitiousness.ConclusionsDNS rebinding is quite usable in real-world attacks.As of now, IoT attack struggles have been quite successful attacking only publicly exposed cadency marks, but it is only a matter of time before there is too much competition for this low-hanging fruit. Botnet wise guys will then seek out better techniques for reaching valuable ends on private corporate and home networks.Network administrators and product vendors constraint to adopt the mentality that anything available on the local network via HTTP is also close by to remote attackers. If any of these servers allow anonymous/unauthenticated access, an attacker make likely seek out these systems and steal, manipulate, or even weaken the data they provide or the systems they control.To learn assorted about the techniques I use for finding and exploiting IoT vulnerabilities, please check out my 2018 rate offerings at Black Hat USA and SecTor.

Leave a Reply

Your email address will not be published. Required fields are marked *