DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet

[Amit Klein <aksecurity () gmail com>]

Hi

This short writeup hopefully should not come as news to you. I don't 
claim to announce a new finding (in fact, it has all been mentioned 
earlier, see below). I merely try to point out some less discussed 
outcomes of DNS rebinding (which, BTW, I find to be a better term than 
"anti DNS pinning").

We're all hearing about how DNS rebinding can be used to scan and 
interact with Intranet sites, and in fact there are several suggestions 
to protect against DNS rebinding by disallowing external domain to 
bind/rebind to Intranet addresses. I am afraid this only addresses a 
part of the larger DNS rebinding problem.

The way I see it, DNS rebinding at large provides the attacker with the 
ability to turn the victim's browser logically into a proxy server. Of 
course, it's not a regular forward proxy, neither from the protocol 
aspect (it doesn't listen on port 80; instead, the attacker needs to 
control it probably via JS, somewhat similar to XSS exploitation 
frameworks), nor from the flexibility aspect (with proxy server, 
practically almost all HTTP requests can be sent, with DNS rebinding, 
the attacker may be limited, depending on the exact technique used).

Here are two aspects of such unintended proxying (DNS rebinding) which 
have nothing to do with Intranets:

- The ability to scan 3rd party sites on the Internet. This turns the 
victim's machine into a (web app?) scanner. On a similar note, the 
victim's machine can be used to conduct any activity (possibly illegal, 
questionable or immoral), incriminating the victim and anonymizing the 
attacker at the same time.

- The ability to thwart IP-based server side logic. Obviously, the 
attacker now browses sites with the victim's IP. Any decision based on 
the client's IP address will now be applied to the victim's IP, rather 
than to the attacker's IP. This can be particularly nasty if the 
attacker attempts to impersonate the victim.

Again - this has all been documented earlier (proxy - e.g. David Byrne' 
BlackHat presentation: 
https://www.blackhat.com/presentations/bh-usa-07/Byrne/Presentation/bh-usa-07-byrne.pdf; 
scanning, IP-logic thwarting - e.g. Kanatoko's page: 
http://www.jumperz.net/index.php?i=2&a=3&b=3). But somehow too many 
times do I see DNS rebinding being equated to Intranet interaction, 
which is what I try to point out here as a partial view of the larger 
problem.

Thanks,
-Amit

PS - thanks to Dave Wichers whose private email to me triggered this post.


-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------