"DNS rebinding" bypasses ABE LOCAL & same origin protection
"DNS rebinding" bypasses ABE LOCAL & same origin protection
http://blogs.forbes.com/firewall/2010/0 ... -web-hack/
https://www.blackhat.com/html/bh-us-10/ ... ml#Heffner
Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.
I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
https://www.blackhat.com/html/bh-us-10/ ... ml#Heffner
Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.
I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
OpenDNS has a settings against this?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
dhouwn wrote:OpenDNS has a settings against this?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
First of all, as far as I know DNS rebinding does NOT bypass ABE (ABE has specific safe-guards against DNS rebinding).
This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
Privacy concerns aside, having millions of NoScript user pinging an IP-echoing server every x minutes can be a quite a burden for anyone who's not Googleal_9x wrote:I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
I'd like to see the talk/paper first: this might be the journalist asking "does NoScript block this" and the researcher answering "No", without even knowing/thinking about ABE.
BTW, where did you get the bit about attacking the public address rather than the private one?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
No, you've misunderstood it, the routers respond to requests addressed to to the WAN IP on the LAN interface, there is no admin access on the WAN interface. The ABE local rule does not prevent this, because the destination ip is public. When combined with the rebinding hack this (allegedly, according Heffner) also bypasses same origin giving access to the router.Giorgio Maone wrote:This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Sorry, I don't get it completely.al_9x wrote:No, you've misunderstood it, the routers respond to requests addressed to to the WAN IP on the LAN interface, there is no admin access on the WAN interface.
I can see only two possible scenarios here:
- The router exposes its admin interface on the WAN IP (as well as on its LAN IP): this is plain stupid and an attack against it can't be blocked by ABE (because the WAN IP is not private by definition).
- The router does not expose its admin on the WAN IP, but only on its LAN (private) IP: this is the most common setup, AFAIK, and an attack against it requires the attacker to send a request to the LAN IP, which is blocked by ABE.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
I think our miscommunication stems from you conflating the meaning of "interface" and "IP," they are not the same. The "interface" is the physical/logical connection, the "IP" is the destination address slot in the IP packet header. Some routers will respond to connections on the LAN interface addressed to the WAN IP, I confirmed this on a Verizon dsl router. I believe this is a byproduct of some routers' loopback functionality, allowing connections to internal resources when addressing the WAN ip through the LAN interface (as if you're coming from the outside).Giorgio Maone wrote:The expression "the routers respond to requests addressed to the WAN IP on the LAN interface" is rather obscure to me
The private attack would be blocked by abe, so it's a non issue. Obviously the public attack is the more serious one.Giorgio Maone wrote:BTW, where did you get the bit about attacking the public address rather than the private one?
Last edited by al_9x on Sat Jul 17, 2010 5:54 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
No, it's the case I am referring to.Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
OK, I can see what you're referring to. Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, but
- I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
- It should be something which raises no privacy concern
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?al_9x wrote:No, it's the case I am referring to.Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Yep, but you should track your WAN IP.Alan Baxter wrote:I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?al_9x wrote:No, it's the case I am referring to.Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:
Code: Select all
# Replace 1.2.3.4 with your WAN IP
Site 1.2.3.4
Deny
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Done. Thank you.Giorgio Maone wrote:Yep, but you should track your WAN IP.
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:
...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
It doesn't matter now that we're in sync, but it occurred to me that a better way to put it, is that "IP" can be both a reference to the interface and the destination address of the connection. I was using it in the latter sense, and you were thinking of it in the former.Giorgio Maone wrote:OK, I can see what you're referring to.
I (and I would imagine others) dislike it when any software starts quietly making unsolicited background connections ostensibly for my benefit. Since you are making it a default it would be a good idea to ask the user something like "in order to protect you from ... Noscript needs to periodically connect to ... to look up your public IP, allow?"Giorgio Maone wrote:Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, butAny idea?
- I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
- It should be something which raises no privacy concern
I am aware of one such service http://www.dyndns.com/developers/checkip.html.
To maximize privacy it would be good to strip all headers making as plain and generic an http request as possible.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6