There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in modern browsers
1. There’s no place like 127.0.0.1
Achieving “reliable” DNS rebinding in modern browsers
2. $ whoami
Luke Young - Sr. Information Security Engineer at LinkedIn
Email: lyoung@linkedin.com or luke@bored.engineer
LinkedIn: www.linkedin.com/in/bored-engineer
3rd year at DEF CON
Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5
Investigating the Practicality and Cost of Abusing Memory Errors
18. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 2 - 137.137.137.137
DNS Answer (A)
TTL 2 - 137.137.137.137
DNS Answer (A)
TTL 2 - 137.137.137.137
HTTP GET /
Host: rebind.attackerdoma.in
HTTP GET /
Host: rebind.attackerdoma.in
19. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 2 - 137.137.137.137
DNS Answer (A)
TTL 2 - 137.137.137.137
DNS Answer (A)
TTL 2 - 137.137.137.137
HTTP GET /
Host: rebind.attackerdoma.in
HTTP GET /
Host: rebind.attackerdoma.in
200 OK
<script>let DNSRebind…
200 OK
<script>let DNSRebind…
20. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
21. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
22. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
23. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 60 - 10.0.0.99
24. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
25. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
26. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
200 OK
Billion $ Business Plan
27. browser
! Chris
dns.corp
10.0.0.1
attackerdoma.in
137.137.137.137
code.corp
10.0.0.99
DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in DNS Q (A) rebind.attackerdoma.in
DNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secsDNS A (A) 137.137.137.137.137 - 2 secs
HTTP GET / rebind.attackerdoma.in HTTP GET / rebind.attackerdoma.in
200 OK <script> let DNSRebind…200 OK <script> let DNSRebind…
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Question (A)
rebind.attackerdoma.in
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
DNS Answer (A)
TTL 60 - 10.0.0.99
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
HTTP GET /Secrets.txt
Host: rebind.attackerdoma.in
200 OK
Billion $ Business Plan
200 OK
Billion $ Business Plan
30. DNS Rebinding Gotcha’s
Chris has to visit the malicious webpage
We required internal knowledge of the Acme network
We had to know the internal IP of code.corp.acme.com beforehand
Notoriously unreliable
35. DNS Rebinding Unreliability
Browser DNS Caches
OS DNS Caches
Nameserver DNS Caches
Browser Protections
Additional Network Protections
General Hacky-ness
42. Why isn’t this fixed yet?
It’s not the browser’s fault, and it’s not easy to fix.
“I'd also recommend that Firefox not fix this issue. It's not feasible for the
browser to protect the user from DNS rebinding attacks. Servers need to
protect themselves by validating the Host header and firewalls need to
protect themselves by preventing external names from resolving to internal
IP addresses.” - Commenter on Mozilla Firefox Bug 689835
45. Reliable DNS Rebinding - Jaqen
On the fly IP/port allocation
Dynamic payloads
“Intelligent” method selection
IPv6 and IPv4 support
46. TTLRebind
Relies on TTL expiration
First request triggers change
Exponential back-off TTLs (1, 2, 4, 8, 16, etc)
47. TTLRebind
;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local. IN A
;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local. 2 IN A 203.0.113.1
;; QUESTION SECTION:
;00000000-0000-0000-0000-000000000000.jaqen.local. IN A
;; ANSWER SECTION:
00000000-0000-0000-0000-000000000000.jaqen.local. 2 IN A 192.168.1.1
56. Future of jaqen
Bug fixes. Lots of bug fixes.
Dockerize?
Automated browser testing
57. $ exit
Luke Young - (lyoung@linkedin.com)
Personal Blog (with slides): bored.engineer
LinkedIn Blog Post: security.linkedin.com/blog
GitHub: github.com/linkedin/jaqen