articleschannelstagsspacestoolkit
Github Blog

DNS rebinding attacks explained: The lookup is coming from inside the house!

View Original
thumbnail

DNS Rebinding Attacks Explained

In this section, the concept of DNS rebinding attacks is introduced, explaining how attackers can exploit this technique to access internal applications running on local machines or networks. Real-world scenarios are provided to illustrate how attackers can gain unauthorized access to applications that were not meant to be publicly available.

Real Vulnerability in Deluge BitTorrent Client

A specific vulnerability in the Deluge BitTorrent client is discussed, highlighting how DNS rebinding could have been used to read arbitrary files from a local system. The example demonstrates how attackers can leverage DNS rebinding to access applications running locally on the victim's machine through the victim's browser.

DNS Rebinding Attack Process

The process of a DNS rebinding attack is outlined, showing how attackers initially respond to a DNS lookup with a public IP address and then redirect subsequent requests to a new, local IP address. By loading scripts from the original domain, attackers can access web applications on the victim's local machine or network, even bypassing some authentication mechanisms.

Tools for Automating DNS Rebinding Attacks

Various tools, such as Tavis Ormandy’s Simple DNS Rebinding Service and NCCGroup’s Singularity of Origin, are mentioned as ways to automate DNS rebinding attacks. These tools can exploit vulnerabilities in web applications and services that are accessible locally but may be vulnerable to DNS rebinding attacks.

Exploitation Techniques in Deluge BitTorrent Client

The vulnerability in the Deluge client that allowed for a path traversal attack to read arbitrary files is detailed. Attackers could exploit this vulnerability to download and run malicious plugins on vulnerable machines, even if the services were only accessible locally. DNS rebinding attacks could be used to access the vulnerable service from a malicious website.

Proactive Protection Against DNS Attacks

To protect against DNS rebinding attacks, it is recommended to use HTTPS services, check the Host header of requests, and deny any requests that do not strictly match an allow list of expected values. These proactive measures can help prevent unauthorized access to internal applications through DNS rebinding attacks.