"DNS rebinding" bypasses ABE LOCAL & same origin protection

Bug reports and enhancement requests
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

"DNS rebinding" bypasses ABE LOCAL & same origin protection

Post by al_9x »

http://blogs.forbes.com/firewall/2010/0 ... -web-hack/
https://www.blackhat.com/html/bh-us-10/ ... ml#Heffner

Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.

I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by dhouwn »

OpenDNS has a settings against this?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by al_9x »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Giorgio Maone »

First of all, as far as I know DNS rebinding does NOT bypass ABE (ABE has specific safe-guards against DNS rebinding).
This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
al_9x wrote:I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Privacy concerns aside, having millions of NoScript user pinging an IP-echoing server every x minutes can be a quite a burden for anyone who's not Google :P
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Giorgio Maone »

I'd like to see the talk/paper first: this might be the journalist asking "does NoScript block this" and the researcher answering "No", without even knowing/thinking about ABE.

BTW, where did you get the bit about attacking the public address rather than the private one?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by al_9x »

Giorgio Maone wrote:This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
No, you've misunderstood it, the routers respond to requests addressed to to the WAN IP on the LAN interface, there is no admin access on the WAN interface. The ABE local rule does not prevent this, because the destination ip is public. When combined with the rebinding hack this (allegedly, according Heffner) also bypasses same origin giving access to the router.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Giorgio Maone »

al_9x wrote:No, you've misunderstood it, the routers respond to requests addressed to to the WAN IP on the LAN interface, there is no admin access on the WAN interface.
Sorry, I don't get it completely.
I can see only two possible scenarios here:
  1. The router exposes its admin interface on the WAN IP (as well as on its LAN IP): this is plain stupid and an attack against it can't be blocked by ABE (because the WAN IP is not private by definition).
  2. The router does not expose its admin on the WAN IP, but only on its LAN (private) IP: this is the most common setup, AFAIK, and an attack against it requires the attacker to send a request to the LAN IP, which is blocked by ABE.
The expression "the routers respond to requests addressed to the WAN IP on the LAN interface" is rather obscure to me, sounding like a blurry middle ground between 1 and 2, but the problem might be English not being my native language. Could you elaborate? What's the source of this information?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by al_9x »

Giorgio Maone wrote:The expression "the routers respond to requests addressed to the WAN IP on the LAN interface" is rather obscure to me
I think our miscommunication stems from you conflating the meaning of "interface" and "IP," they are not the same. The "interface" is the physical/logical connection, the "IP" is the destination address slot in the IP packet header. Some routers will respond to connections on the LAN interface addressed to the WAN IP, I confirmed this on a Verizon dsl router. I believe this is a byproduct of some routers' loopback functionality, allowing connections to internal resources when addressing the WAN ip through the LAN interface (as if you're coming from the outside).
Giorgio Maone wrote:BTW, where did you get the bit about attacking the public address rather than the private one?
The private attack would be blocked by abe, so it's a non issue. Obviously the public attack is the more serious one.
Last edited by al_9x on Sat Jul 17, 2010 5:54 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Alan Baxter »

Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by al_9x »

Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Giorgio Maone »

OK, I can see what you're referring to. Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, but
  1. I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
  2. It should be something which raises no privacy concern
Any idea?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Alan Baxter »

al_9x wrote:
Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Giorgio Maone »

Alan Baxter wrote:
al_9x wrote:
Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?
Yep, but you should track your WAN IP.
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:

Code: Select all

# Replace 1.2.3.4 with your WAN IP
Site 1.2.3.4
Deny 
BTW, I'm baking an experimental implementation of al_9x's idea using http://ipecho.net/ as the echo service.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by Alan Baxter »

Giorgio Maone wrote:Yep, but you should track your WAN IP.
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:
...
Done. Thank you.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect

Post by al_9x »

Giorgio Maone wrote:OK, I can see what you're referring to.
It doesn't matter now that we're in sync, but it occurred to me that a better way to put it, is that "IP" can be both a reference to the interface and the destination address of the connection. I was using it in the latter sense, and you were thinking of it in the former.
Giorgio Maone wrote:Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, but
  1. I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
  2. It should be something which raises no privacy concern
Any idea?
I (and I would imagine others) dislike it when any software starts quietly making unsolicited background connections ostensibly for my benefit. Since you are making it a default it would be a good idea to ask the user something like "in order to protect you from ... Noscript needs to periodically connect to ... to look up your public IP, allow?"

I am aware of one such service http://www.dyndns.com/developers/checkip.html.

To maximize privacy it would be good to strip all headers making as plain and generic an http request as possible.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Post Reply