CAPEC-275 - DNS Rebinding

An attacker serves content whose IP address is resolved by a DNS server that it controls and after initial contact by a web browser or similar client it changes the IP address to which its name resolves to an address within the target browser's organization that is not publicly accessible, thus allowing the web browser to examine this internal address on its behalf. Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. In a DNS binding attack an attacker publishes content on their own server with their own name and DNS server. The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value. When the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible. This attack differs from pharming attacks in that the attacker is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Protocol Manipulation
  • Injection
  • Purposes 2
  • Exploitation
  • Penetration
  • Scopes 7
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability
  • Bypass protection mechanism
  • Authorization
  • Access_Control

Medium level: Setup DNS server and attacker's web server. Write malicious script to allow victim to connect to web server.

The target browser must access content server from the attacker controlled DNS name. Web advertisements are often used for this purpose. The target browser must honor the TTL value returned by the attacker and re-resolve the attackers' DNS name after initial contact.

The attacker must serve some web content that a victim accesses initially. This content must include executable content that queries the attackers' DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The attacker also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network.

Step 1 - Identify potential DNS rebinding targets

An attacker publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version..

Tecnique ID: 1 - Environment(s) env-All

Attacker uses Web advertisements to attract the victim to access attacker's DNS. Explore the versions of web browser or flash players in HTTP request.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Old versions that have DNS rebinding vulnerabilities.

Indicator ID: 2 - Environment(s) env-All

Type: Negative

New versions that have fixed DNS rebinding vulnerabilities.


Outcome ID: 1

Type: Success

A list of browser's information.

Outcome ID: 2

Type: Failure

No browser's information in HTTP request.



Step 1 - Establish initial target access to attacker DNS

The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value..

Step 2 - Rebind DNS resolution to target address

the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source..

Step 3 - Determine exploitability of DNS rebinding access to target address

The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses..


Step 1 - Access & exfiltrate data within the victim's security zone

The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise..

Tecnique ID: 1 - Environment(s) env-Web

Attacker attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.

Tecnique ID: 2 - Environment(s) env-Web

Attacker tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

Security Control ID: 1

Type: Preventative

Update browser or flash players to the latest version.

Security Control ID: 2

Type: Preventative

Prevent external names from resolving to internal addresses.


Outcome ID: 1

Type: Success

Two IP addresses placed in the same security zone communicating each other.

Outcome ID: 2

Type: Success

Attacker can scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

Outcome ID: 3

Type: Failure

Attacker fails to access internal server's information.



Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.

Implementation: Reject HTTP request with an malicious Host header

Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.