DNS rebinding first appeared 15 years ago. It was a clever penetration technique until web browsers were fixed. It now appears there is a workaround for the fix and residential gateway devices are the targets.
Craig Heffner, senior security engineer for Seismic LLC gave a talk at this year’s Black Hat conference called How to Hack Millions of Routers. A rather dramatic title, but his research uncovered an exploitable weakness.
The new attack leverages several concepts that aren’t well known. With that in mind, I would like to step through the process in a bit more detail.
DNS was created because it’s easier to remember words (domain names), than numbers (IP addresses). You type in a name and the web browser asks the appropriate DNS server for the IP address. In IT-speak, that means there is a binding between the domain name and associated IP address.
What might not be known is that quite often more than one IP address is bound to the same domain name. This is to facilitate load balancing or redundancy for web sites with critical uptime requirements. Using NS Lookup, one can see that Google has six IP addresses bound to Google.com:
Now let’s look at how the attack works.
The original attack
The DNS-rebinding attack requires the bad guys to set up a malicious web site. Or more insidiously, malicious web ads that are published on trusted sites. For example, the New York Times was caught up in such an attack.
To help explain, let’s say that example.com is such a web site. The victim visits example.com, causing a client-side script or applet to be downloaded onto the victim’s web browser. Once entrenched, the attacker’s web application asks to create a connection with example.com, separate from the web browser and hidden from the victim. The DNS server for example.com will then return the correct IP address for example.com, along with the private IP address of the victim’s computer.
Once that information is cached, the web app asks for more information from example.com. Knowing what’s going on, the attacker’s server responds with what is called a TCP reset. This is meant to deceive the supposedly legitimate web application (set up by the script) into believing the first IP address used for example.com is not working. So the web application checks its DNS cache and tries the second IP address for the domain name example.com.
Here‘s where it gets interesting. By using the second trusted IP address the malicious browser applet gains network-level access to the victim’s computer. That means the attacker can establish a session with any web server on the internal network if the web server’s private IP address is known.
Guess what uses web servers — most network devices and web-based email servers. All sorts of havoc can now be wreaked by the attacker.
Fixed the problem?
I mentioned earlier that this problem was fixed. Developers realized what was happening and changed how web browsers handle DNS responses. If the response contains a non-routable (RFC 1918) IP address, the packet is to be dropped. This change negated the attack vector and it disappeared for years.
The new attack
It’s common knowledge that configuration pages for residential network devices are accessed by entering the device’s internal IP address in the web browser. We now also know that spoofed DNS responses using private IP addresses are dropped.
So routers and such are safe now, right? Well maybe not. For some reason, you can enter the public or routable IP address of gateway devices/routers in the web browser and gain access to the configuration web page. Remember now, that http request is coming from a computer on the internal network.
What’s more, this approach works regardless if public-side access has been disabled in the gateway. I have an ActionTec gateway on my perimeter, and I was able to access the configuration pages using the public IP as shown below:
Mr. Heffner and the people at Seismic diligently tested most residential gateway routers and have come up with the following list of secure and vulnerable devices or third party firmware:
What this means
This attack vector is unsettling because it’s subtle. In most households, the gateway device provides DHCP information to all computers on the internal network. Besides providing the proper IP address for the computer, DHCP also publishes what DNS servers to use. If attackers gain access to the gateway device, they could change the DNS server entries to point to their malicious DNS servers and that’s not good at all.
Prevention is simple
This attack requires knowing the username and password to access the gateway device’s configuration web pages. The bad guys are hoping the default settings are still in use. So, make it hard for them. Change the user name if possible and replace the default password with a nasty and hard to figure out one. That should stop the attackers.
Another option is to require each and every web site to ask permission to load any kind of scripting. This is easy to do if you use the Firefox web browser. Get the NoScript add-on. In fact, Giorgio Maone, NoScript’s developer added a new feature in the latest version of NoScript. The feature is called Application Boundaries Enforcer and one of default rules prevents the DNS rebinding attack.
One final suggestion is to use well-respected DNS servers and hard code their IP addresses into the network adaptor’s configuration. I use OpenDNS. Doing so eliminates this and many other DNS-related exploits.
Mr. Heffner’s public IP rebinding attack is dangerous when successfully applied. Fortunately, it’s complex to pull off and easily thwarted. All we have to do is get people to stop using default login credentials. Please spread the word.