Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
DNS rebinding - current state
Posted by: lpilorz
Date: December 14, 2007 05:44PM

Hi,
can anyone sum up what's the current state of DNS rebinding attack vectors?

AFAIK, LiveConnect & Flash are fixed. Are there any others left, and what are the timing requirements?

Btw, this no longer works so I can post it:
http://lukasz.pilorz.net/testy/dnsrebinding/scanner.phps
http://lukasz.pilorz.net/testy/dnsrebinding/phpmyadmin_exec.phps
Sample LiveConnect DNS rebinding attack against basic xampp installation run by windows user with admin privileges. I think it could work for any phpmyadmin on localhost or any common internal address - the attack uses JS portscan for finding the app and then DNS rebinding to run simply "SELECT 'calc.exe' INTO OUTFILE 'C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\calc.bat';"
The code is not very nice, it was just meant to work in certain circumstances.



Edited 1 time(s). Last edit at 12/14/2007 05:58PM by lpilorz.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: lpilorz
Date: December 14, 2007 05:52PM

Btw, dnsrebinding.securityexploits.com is a no-ip.com wildcard domain. That's the reason for such long timing (60 seconds to wait for no-ip.com DNS change), and it won't work for more than one victim at the same time. LiveConnect is fixed, so there is no reason to run it anyway.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: kuza55
Date: December 15, 2007 02:43AM

Ok, I haven't heard of LiveConnect being fixed, and I kind of doubt it is since from what I remember reading, it relied on the fact that Java wasn't instantiated until you'd conducted the DNS rebinding attack, and so the fact that Java performs DNS Pinning properly didn't count for anything, so how LiveConnect could be fixed without the issue being fixed in the browser is a bit of a mystery to me...

Flash has semi-fixed the issue though -> We can't make socket connections any more without the other host allowing it, which is pretty unlikely (not impossible, but unlikely). But we can still do normal HTTP-based DNS rebinding attacks.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 12/15/2007 02:48AM by kuza55.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: Anonymous User
Date: December 15, 2007 07:18AM

Yeah im kinda on Kuza55's side here,

I'm not sure what you mean with LiveConnect being 'fixed' ? LiveConnect in Mozilla is a very old and huge chunk of code which isn't dropped yet completely, but they will in the near future, as for being fixed, I kinda doubt that -if I understand or guess you correctly- because it utillizes features that cannot be blocked.

btw DNS rebinding e.g. DNS pinning is an arms race, it cannot be won.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: kuza55
Date: December 15, 2007 05:16PM

Ronald Wrote:
-------------------------------------------------------
> btw DNS rebinding e.g. DNS pinning is an arms
> race, it cannot be won.

I think you're right there, but I think it can be solved, just not with DNS Pinning. We'd need something like what Adobe has implemented with flash policy files: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html

In that we'd need to be able to query an IP to find out what domains can connect to what ports. Obviously you wouldn't want any two domains to be able to connect to a single port, but you'd probably need to leave the option open.

Of course, I'm still going to look for implementation stupidities in Adobe's code, e.g. caching the response, or performing DNS lookups in the middle of things, etc, but this seems like a pretty solid idea.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: lpilorz
Date: December 16, 2007 07:35AM

To tell the truth I did not go into details with what was changed, but with the latest Java update both Kanatoko's demos (Java & LiveConnect) stopped working for me. The code I based on his presentation also started throwing Java privileges exception.

"Sun has included changes that perform additional hostname matching using DNS reverse mapping data to mitigate these issues." - http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1
Doesn't it block most attack vectors with DNS rebinding in Java and LiveConnect?

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: collinj
Date: December 16, 2007 01:38PM

As of October 3, 2007, LiveConnect can no longer open sockets unless the server opts in to sockets using reverse DNS. See http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: kuza55
Date: December 16, 2007 04:43PM

Wow....they actually went ahead and did something to fix it; it'll break everything on shared hosting, and with incorrect reverse DNS entries, but I guess that's a price they're willing to pay.

It's kind of like seeing the mhtml vulnerability get fixed.....it was around for so long that I didn't think it would ever go away...

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: digi7al64
Date: August 28, 2008 02:12AM

hate to necropost but it is relevant to the topic.

Does DNS rebinding still work in anyway shape or form?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: lpilorz
Date: August 28, 2008 06:46AM

If you can convince user to stay or your site longer than whatever the timeout limit is now (long live web video!), or return to it after some time (even after closing browser, as long as cache is not cleaned), then probably yes, but I didn't check for sime time. I'll try to put some more general demo online, if time permits.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: kuza55
Date: August 30, 2008 12:52AM

Martin Johns says FF3 is still vulnerable: http://twitter.com/datenkeller/statuses/892534116 And I'm sure that if it had been fixed in IE8 we would have heard about it by now.

So essentially, yes, the original form still works.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: digi7al64
Date: September 01, 2008 08:19PM

Thanks for the info. I guess this is something that can't be patched easily other then forcing the ttl value to be a force locked for the entire active session (which is going to create problems anyways).

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: lpilorz
Date: September 09, 2008 12:08PM

http://lukasz.pilorz.net/dnsr/ - tested and working in FF3/IE7.
This attack scenario is much less dangerous compared to what we could do a year ago.

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: digi7al64
Date: September 10, 2008 07:06PM

@lpilorz - thanks for that. I will test it out tonight.

Also, In a lot of the recently written material I have read about DNS rebinding is appears that it seems to only work in attacking internal networks (as with your PoC).

Is this correct or can you use the attack against sites on the internet as well?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: ma1
Date: September 11, 2008 02:34AM

@digi7al64:
DNS rebinding is more likely to succeed against intranets because internet sites are usually virtual hosted and/or depend on the HOST header being correct, while intranet web apps can often be addressed by IP, ignoring HOST.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: DNS rebinding - current state
Posted by: lpilorz
Date: September 11, 2008 11:01AM

I just tested Google Chrome with this demo, and of course it's also vulnerable.

In a real world attack, there would be no need for email (data that is sent by email could be stored in a cookie for example) - you should only make sure that the victim returns to your site (or any site that has your iframe) after some time.

Options: ReplyQuote


Sorry, only registered users may post in this forum.