Cybercriminals can manage to compromise internal networks by abusing web-based consoles under a technique called DNS rebinding. It is a method that exposes the attack surface of internal web applications to malicious websites after being launched on victims’ browsers.
DNS rebinding workability
Popular browsers employ same-origin policy wherein various resources such as JavaScript, images, and CSS are loaded from the same server to run a web application.It has been found that attackers can use DNS rebinding to bypass this and allow cross-origin requests.
- The policy spots different origins of requests with a combo of URI scheme, port, and hostname. Among these components, browsers use hostnames to identify different servers on the internet. Hostnames are not bound to network devices and are resolved to IP addresses by DNS.
- IP addresses are given to devices statically or dynamically. As domain owners have full control over DNS records, they can resolve hostnames to arbitrary IP addresses. DNS rebinding abuses this privilege.
- After a victims’ web browser loads the malicious payloads from the attacker’s server, attackers can rebind their hostnames with their internal IP addresses redirecting to the target servers.
Internal penetration
- After launching a malicious site on victims’ browsers, attackers look for private IP addresses and ports to host vulnerable services prior to launching the DNS rebinding attack.
- Open ports provide details regarding exposed web applications behind IP addresses. Using the WebRTC method, malicious websites can scan the open web services inside local networks.
- After locating the targeted services, an attacker’s website can launch the DNS rebinding attack inside an iframe.
- The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.
Real attack
The DNS rebinding attack can use victims’ browsers as a proxy to expand the attack surface to private networks, as demonstrated by the researchers via a POC attack.
- It has been used to practically penetrate an open-source DNS rebinding platform known as Singularity. Researchers launched an RCE payload of Singularity in the simulation environment. They used it to target the Rails framework, in which the PUT APIs allow the users to run arbitrary system commands on the server.
- Any web application using this API will be required to generate a new token during runtime, and it is impossible to guess the valid API endpoint without reading the server response.
- After executing DNS binding, the Singularity RCE payload can obtain the token, and use it to reconstruct any desired URL.
Countermeasures
There are several protective methods in practice today Browser-based DNS pinning method; DNS-based using DNS caching software; Server-based mitigation implementing HTTPS communication on private services and; real-time DNS rebinding detection.
Final Thoughts
DNS rebinding technique is a serious threat. Web browser vendors, web application owners, and DNS resolvers need to apply appropriate protection strategies to ensure security against such threats.
