Home > CAPEC List > CAPEC-275: DNS Rebinding (Version 2.9)  

CAPEC-275: DNS Rebinding

 
DNS Rebinding
Definition in a New Window Definition in a New Window
Attack Pattern ID: 275
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker serves content whose IP address is resolved by a DNS server that it controls and after initial contact by a web browser or similar client it changes the IP address to which its name resolves to an address within the target browser's organization that is not publicly accessible, thus allowing the web browser to examine this internal address on its behalf. Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. In a DNS binding attack an attacker publishes content on their own server with their own name and DNS server. The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value. When the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible. This attack differs from pharming attacks in that the attacker is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services.

+ Attack Execution Flow
Explore
  1. Identify potential DNS rebinding targets:

    An attacker publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Attacker uses Web advertisements to attract the victim to access attacker's DNS. Explore the versions of web browser or flash players in HTTP request.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Old versions that have DNS rebinding vulnerabilities.

    env-All
    2Negative

    New versions that have fixed DNS rebinding vulnerabilities.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of browser's information.
    2Failure
    No browser's information in HTTP request.
Experiment
  1. Establish initial target access to attacker DNS:

    The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value.

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker finds some local active servers.
    2Failure
    The attacker could not find any active local server.
  2. Rebind DNS resolution to target address:

    the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source.

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker rebinds victim's internal IP address of these servers with his server name.
    2Failure
    Attacker fails to rebind victim's internal IP address of these servers with his server name.
  3. Determine exploitability of DNS rebinding access to target address:

    The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses.

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker's script is executed in victim's browser.
    2Failure
    Malicious script is not executed in victim's browser, no HTTP request from the script.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor external names resolving to internal addresses.
    2Preventative
    Prevent external names from resolving to internal addresses.
Exploit
  1. Access & exfiltrate data within the victim's security zone:

    The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Attacker attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.

    env-Web
    2

    Attacker tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Two IP addresses placed in the same security zone communicating each other.
    2Success
    Attacker can scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.
    3Failure
    Attacker fails to access internal server's information.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Update browser or flash players to the latest version.
    2Preventative
    Prevent external names from resolving to internal addresses.
+ Attack Prerequisites
  • The target browser must access content server from the attacker controlled DNS name. Web advertisements are often used for this purpose. The target browser must honor the TTL value returned by the attacker and re-resolve the attackers' DNS name after initial contact.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances

Description

The attacker registers a domain name, such as www.evil.com with IP address 1.3.5.7, delegates it to his own DNS server (1.3.5.2), and uses phishing links or emails to get HTTP traffic. Instead of sending a normal TTL record, the DNS server sends a very short TTL record (for example, 1 second), preventing DNS response of entry[www.evil.com, 1.3.5.7] from being cached on victim's (192.168.1.10) browser. The attacker's server first responds to the victim with malicious script such as JavaScript, containing IP address (1.3.5.7) of the server. The attacker uses XMLHttpRequest (XHR) to send HTTP request or HTTPS request directly to the attackers' server and load response. The malicious script allows the attacker to rebind the host name to the IP address (192.168.1.2) of a target server that is behind the firewall. Then the server responds to attacker's real target, which is an internal host IP (192.168.1.2) in the same domain of the victim (192.168.1.10). Because the same name resolves to both these IP addresses, browsers will place both IP addresses (1.3.5.7 and 192.168.1.2) in the same security zone and allow information to flow between the addresses. Further, the attacker can achieve scanning and accessing all internal hosts in victim's local network (192.168.X.X). by sending multiple short-lived IP addresses.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Setup DNS server and attacker's web server. Write malicious script to allow victim to connect to web server.

+ Resources Required

The attacker must serve some web content that a victim accesses initially. This content must include executable content that queries the attackers' DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The attacker also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network.

+ Solutions and Mitigations

Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.

Implementation: Reject HTTP request with an malicious Host header

Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.

+ Payload

DNS TTL record HTTP request with malicious DNS rebinds

+ Activation Zone

Victim's browser and victim's local network

+ Payload Activation Impact

This attack allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible.

+ Purposes
  • Exploitation
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
All
Platforms
All
Languages
All
+ References
[R.275.1] Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao and Dan Boneh. "Protecting Browsers from DNS Rebinding Attacks". In Proceedings of ACM CCS 07.
[R.275.2] [REF-6] "Wikipedia". DNS rebinding. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/DNS_rebinding>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015