Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet

from [Amit Klein] Network Security [Permanent Link]
Subject: DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet
Date: Thu, 08 Nov 2007 22:08:26 +0200 
Hi

This short writeup hopefully should not come as news to you. I don't claim to announce a new finding (in fact, it has all been mentioned earlier, see below). I merely try to point out some less discussed outcomes of DNS rebinding (which, BTW, I find to be a better term than "anti DNS pinning").

We're all hearing about how DNS rebinding can be used to scan and interact with Intranet sites, and in fact there are several suggestions to protect against DNS rebinding by disallowing external domain to bind/rebind to Intranet addresses. I am afraid this only addresses a part of the larger DNS rebinding problem.

The way I see it, DNS rebinding at large provides the attacker with the ability to turn the victim's browser logically into a proxy server. Of course, it's not a regular forward proxy, neither from the protocol aspect (it doesn't listen on port 80; instead, the attacker needs to control it probably via JS, somewhat similar to XSS exploitation frameworks), nor from the flexibility aspect (with proxy server, practically almost all HTTP requests can be sent, with DNS rebinding, the attacker may be limited, depending on the exact technique used).

Here are two aspects of such unintended proxying (DNS rebinding) which have nothing to do with Intranets:

- The ability to scan 3rd party sites on the Internet. This turns the victim's machine into a (web app?) scanner. On a similar note, the victim's machine can be used to conduct any activity (possibly illegal, questionable or immoral), incriminating the victim and anonymizing the attacker at the same time.

- The ability to thwart IP-based server side logic. Obviously, the attacker now browses sites with the victim's IP. Any decision based on the client's IP address will now be applied to the victim's IP, rather than to the attacker's IP. This can be particularly nasty if the attacker attempts to impersonate the victim.

Again - this has all been documented earlier (proxy - e.g. David Byrne' BlackHat presentation: https://www.blackhat.com/presentations/bh-usa-07/Byrne/Presentation/bh-usa-07-byrne.pdf; scanning, IP-logic thwarting - e.g. Kanatoko's page: http://www.jumperz.net/index.php?i=2&a=3&b=3). But somehow too many times do I see DNS rebinding being equated to Intranet interaction, which is what I try to point out here as a partial view of the larger problem.

Thanks,
-Amit

PS - thanks to Dave Wichers whose private email to me triggered this post.


-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional XSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • DNS Rebinding (or anti DNS pinning) - it's not just about the Intranet, Amit Klein <=
Previous by Date:  CFP OWASP Australia (Asia Pacific) Security Conference 2008, Justin Derry
Next by Date:  CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and PacSec Dojo's, Dragos Ruiu
Previous by Thread:  CFP OWASP Australia (Asia Pacific) Security Conference 2008, Justin Derry
Next by Thread:  CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and PacSec Dojo's, Dragos Ruiu
Indexes:  [Date] [Thread] [Top] [All Lists]