In private networks, web services are kept isolated from the outside online world. Still, cybercriminals can manage to compromise internal networks by abusing web-based consoles under a technique called DNS rebinding. It is a method that exposes the attack surface of internal web applications to malicious websites after being launched on victims' browsers.
To understand how private networks are penetrated, let’s understand how DNS rebinding works on modern browsers, such as Chrome and Firefox.
How does DNS rebinding work?
- The policy spots different origins of requests (e.g. same server as itself or other) with a combo of URI scheme, port, and hostname. Among these components, browsers use hostnames to identify different servers on the internet. However, hostnames are not bound to network devices and are resolved to IP addresses by DNS.
- IP addresses are given to devices statically or dynamically. As domain owners have full control over DNS records, they can resolve hostnames to arbitrary IP addresses. DNS rebinding abuses this privilege.
- After a victims' web browser loads the malicious payloads from the attacker’s server, attackers can rebind their hostnames with their internal IP addresses redirecting to the target servers.
Private networks penetration
According to researchers from Palo Alto Networks' Unit 42, it starts with fooling victims into opening malicious websites with social engineering tactics (e.g. phishing emails and cybersquatting).
- After launching a malicious site on victims' browsers, attackers look for private IP addresses and ports to host vulnerable services prior to launching the DNS rebinding attack.
- Open ports provide details regarding exposed web applications behind IP addresses. Moreover, using the WebRTC method, malicious websites can scan the open web services inside local networks.
- After locating the targeted services, an attacker's website can launch the DNS rebinding attack inside an iframe.
- The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.
Use in real-world attacks
The DNS rebinding attack can use victims' browsers as a proxy to expand the attack surface to private networks, as demonstrated by the researchers via a POC attack.
- It has been used to practically penetrate an open-source DNS rebinding platform known as Singularity.
- Researchers launched an RCE payload of Singularity in the simulation environment. They used it to target the Rails framework, in which the PUT APIs allow the users to run arbitrary system commands on the server.
- Any web application using this API will be required to generate a new token during runtime, and it is impossible to guess the valid API endpoint without reading the server response.
- However, after executing DNS binding, the Singularity RCE payload can obtain the token, and use it to reconstruct any desired URL.
The many workarounds
There are several protective methods in practice today — Browser-based DNS pinning method; DNS-based using DNS caching software; Server-based mitigation implementing HTTPS communication on private services and; real-time DNS rebinding detection.
DNS rebinding technique is a serious threat. Web browser vendors, web application owners, and DNS resolvers need to apply appropriate protection strategies to ensure security against such threats.