Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet

DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet

From: Amit Klein <aksecurity_at_gmail.com>
Date: Thu, 08 Nov 2007 22:08:26 +0200

Hi

This short writeup hopefully should not come as news to you. I don't
claim to announce a new finding (in fact, it has all been mentioned
earlier, see below). I merely try to point out some less discussed
outcomes of DNS rebinding (which, BTW, I find to be a better term than
"anti DNS pinning").

We're all hearing about how DNS rebinding can be used to scan and
interact with Intranet sites, and in fact there are several suggestions
to protect against DNS rebinding by disallowing external domain to
bind/rebind to Intranet addresses. I am afraid this only addresses a
part of the larger DNS rebinding problem.

The way I see it, DNS rebinding at large provides the attacker with the
ability to turn the victim's browser logically into a proxy server. Of
course, it's not a regular forward proxy, neither from the protocol
aspect (it doesn't listen on port 80; instead, the attacker needs to
control it probably via JS, somewhat similar to XSS exploitation
frameworks), nor from the flexibility aspect (with proxy server,
practically almost all HTTP requests can be sent, with DNS rebinding,
the attacker may be limited, depending on the exact technique used).

Here are two aspects of such unintended proxying (DNS rebinding) which
have nothing to do with Intranets:

- The ability to scan 3rd party sites on the Internet. This turns the
victim's machine into a (web app?) scanner. On a similar note, the
victim's machine can be used to conduct any activity (possibly illegal,
questionable or immoral), incriminating the victim and anonymizing the
attacker at the same time.

- The ability to thwart IP-based server side logic. Obviously, the
attacker now browses sites with the victim's IP. Any decision based on
the client's IP address will now be applied to the victim's IP, rather
than to the attacker's IP. This can be particularly nasty if the
attacker attempts to impersonate the victim.

Again - this has all been documented earlier (proxy - e.g. David Byrne'
BlackHat presentation:
https://www.blackhat.com/presentations/bh-usa-07/Byrne/Presentation/bh-usa-07-byrne.pdf;
scanning, IP-logic thwarting - e.g. Kanatoko's page:
http://www.jumperz.net/index.php?i=2&a=3&b=3). But somehow too many
times do I see DNS rebinding being equated to Intranet interaction,
which is what I try to point out here as a partial view of the larger
problem.

Thanks,
-Amit

PS - thanks to Dave Wichers whose private email to me triggered this post.

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional XSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------
Received on Nov 08 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos