Main

DNS Rebinding PoC

27 June 2008


It took me longer than I expected, but I finally made it work.

In short, this proof of concept uses the browser cache along with DNS Rebinding in order to circumvent the Same Origin Policy of the XMLHttpRequest object. After a successful execution of the attack, this PoC reads the HTML from http://127.0.0.1:80/ on your machine. If you don't have a local HTTP server running, this won't look very "impressive", though.

For the sake of this PoC, I didn't implement anything that could let you alter the "victim" IP. It IS possible, but I don't know if I should do it.

I could alter 127.0.0.1 to Google's IP for example, but this isn't as impressive as reading/writing data from/to your internal network. Maybe I'll add this some time later, so those of you who don't have a local HTTP server running could still see the attack in action.


In essence, this is a two stage attack. The first stage involves your browser caching some HTML code from a certain URL for a really long time. You probably don't know it yet, but the first stage of the attack has already hit your browser.


<img src="http://evil2.us.to/poc/rebind/redirector.php" style="width: 1px; height: 1px;">


The code above is embedded on this very page. "redirector.php" redirects your browser to the evil "doit.php" file the first time you visit it. "doit.php" tells the browser to cache it for a year. When you reload this page for the second time, "redirector.php" will then simply redirect to a harmless image. The cached "doit.php" file, however, will stay unaltered on it's own URL.

In order to understand this better, you should read the source files I link to at the bottom of this post.

At the same time, on the server side, once "doit.php" was visited by your browser for the first time, the script has altered the DNS entries for it's hostname on the local DNS sever (which is authoritative for the domain evil2.us.to).

The next stage of the attack is waiting. 2 minutes if you run Firefox, 30 minutes if it's IE. It depends on how the browser implements the DNS pinning protection. On any browser, closing it and opening a new instance will work immediately. In practice, a malicious attacker will just wait. Since the page is cached, it's not going anywhere. The attack could be continued when the attacker desires.

For the sake of this PoC, however, exit your browser and then come back to this page.


Now when you're back...

After the DNS pinning has expired, all the attacker has to do is give the victim a link to click on.

http://evil2.us.to/poc/rebind/innocent.php

This could be a completely innocent looking page with an iframe to the previously cached "doit.php" file. A JavaScript on the cached page could use XHR. This would cause the browser to do a new DNS lookup, and eventually resolve to 127.0.0.1.

As I explained earlier, the implications of this are severe. All the HTTP based web services on your network could be owned.

Conclusion

Despite this PoC sounding incredibly long and complicated, the basic stages of an attack are these:

1) Post an "image" on a blog or message board that your victim visits (make sure he "sees" it).
2) Wait for as long as you want.
3) Make the victim to click a link. (via a PM, IM, or whatever).


You may or may not see an attack that requires user interaction as a good one. Still, you must remember, that modern security isn't so much about attacking the system anymore. Rather, it's about attacking the operators (or users) of the system.
You can agree with me that anyone who wants to poke a hole right through a corporate firewall, could use this attack.

Finally, the true problem isn't that it's possible to do this. What's really bad is that it has been possible to do this since 1996. This flaw isn't a bug, it's here by design.

Here is a link to the sources of this PoC. Everything is well commented.
http://own-the.net/poc/rebind/source/

Enjoy.

Posted by: kGen | In category: DNS | Comments (0)