Page 1 of 3
"DNS rebinding" bypasses ABE LOCAL & same origin protection
Posted: Sat Jul 17, 2010 3:26 am
by al_9x
http://blogs.forbes.com/firewall/2010/0 ... -web-hack/
https://www.blackhat.com/html/bh-us-10/ ... ml#Heffner
Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.
I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:05 pm
by dhouwn
OpenDNS has a settings against this?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:11 pm
by al_9x
dhouwn wrote:OpenDNS has a settings against this?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:16 pm
by Giorgio Maone
First of all, as far as I know DNS rebinding does NOT bypass ABE (ABE has specific safe-guards against DNS rebinding).
This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
al_9x wrote:I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.
Privacy concerns aside, having millions of NoScript user pinging an IP-echoing server every x minutes can be a quite a burden for anyone who's not Google
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:20 pm
by Giorgio Maone
I'd like to see the talk/paper first: this might be the journalist asking "does NoScript block this" and the researcher answering "No", without even knowing/thinking about ABE.
BTW, where did you get the bit about attacking the public address rather than the private one?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:26 pm
by al_9x
Giorgio Maone wrote:This is just about the stupidity of keeping the administration interface open on the public IP, not about DNS rebinding (which can be used to bypass similar defenses by, for instance, Opera on PRIVATE addresses).
No, you've misunderstood it, the routers respond to requests addressed to to the
WAN IP on the
LAN interface, there is no admin access on the WAN interface. The ABE local rule does not prevent this, because the destination ip is public. When combined with the rebinding hack this (allegedly, according Heffner) also bypasses same origin giving access to the router.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:33 pm
by Giorgio Maone
al_9x wrote:No, you've misunderstood it, the routers respond to requests addressed to to the WAN IP on the LAN interface, there is no admin access on the WAN interface.
Sorry, I don't get it completely.
I can see only two possible scenarios here:
- The router exposes its admin interface on the WAN IP (as well as on its LAN IP): this is plain stupid and an attack against it can't be blocked by ABE (because the WAN IP is not private by definition).
- The router does not expose its admin on the WAN IP, but only on its LAN (private) IP: this is the most common setup, AFAIK, and an attack against it requires the attacker to send a request to the LAN IP, which is blocked by ABE.
The expression "the routers respond to requests addressed to the WAN IP on the LAN interface" is rather obscure to me, sounding like a blurry middle ground between 1 and 2, but the problem might be English not being my native language. Could you elaborate? What's the source of this information?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:46 pm
by al_9x
Giorgio Maone wrote:The expression "the routers respond to requests addressed to the WAN IP on the LAN interface" is rather obscure to me
I think our miscommunication stems from you conflating the meaning of "interface" and "IP," they are not the same. The "interface" is the physical/logical connection, the "IP" is the destination address slot in the IP packet header. Some routers will respond to connections on the LAN interface addressed to the WAN IP, I confirmed this on a Verizon dsl router. I believe this is a byproduct of some routers' loopback functionality, allowing connections to internal resources when addressing the WAN ip through the LAN interface (as if you're coming from the outside).
Giorgio Maone wrote:BTW, where did you get the bit about attacking the public address rather than the private one?
The private attack would be blocked by abe, so it's a non issue. Obviously the public attack is the more serious one.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:54 pm
by Alan Baxter
Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 5:57 pm
by al_9x
Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 7:12 pm
by Giorgio Maone
OK, I can see what you're referring to. Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, but
- I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
- It should be something which raises no privacy concern
Any idea?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 7:49 pm
by Alan Baxter
al_9x wrote:Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 7:57 pm
by Giorgio Maone
Alan Baxter wrote:al_9x wrote:Alan Baxter wrote:Just a data point here, since my six year old router is on the Vulnerable list: if I enter my WAN IP into the Firefox URL bar, then I have access to my router's admin interface. Is that case 1)?
No, it's the case I am referring to.
I sounds like you're saying I'm describing the fact that I'm vulnerable, right? Is there a change I can make to ABE right now which will protect me?
Yep, but you should track your WAN IP.
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:
Code: Select all
# Replace 1.2.3.4 with your WAN IP
Site 1.2.3.4
Deny
BTW, I'm baking an experimental implementation of al_9x's idea using
http://ipecho.net/ as the echo service.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 8:08 pm
by Alan Baxter
Giorgio Maone wrote:Yep, but you should track your WAN IP.
If you can (or you've got a static external IP) you can add this rule to your USER ruleset:
...
Done. Thank you.
Re: "DNS rebinding" bypasses ABE LOCAL & same origin protect
Posted: Sat Jul 17, 2010 8:11 pm
by al_9x
Giorgio Maone wrote:OK, I can see what you're referring to.
It doesn't matter now that we're in sync, but it occurred to me that a better way to put it, is that "IP" can be both a reference to the interface and the destination address of the connection. I was using it in the latter sense, and you were thinking of it in the former.
Giorgio Maone wrote:Now, adding the WAN IP to the LOCAL resolution is relatively simple, and I'd prefer to make it default albeit optional, but
- I would need a reliable and free service to put the simple IP echoing script on, to receive potentially millions of hits every x minutes.
- It should be something which raises no privacy concern
Any idea?
I (and I would imagine others) dislike it when any software starts quietly making unsolicited background connections ostensibly for my benefit. Since you are making it a default it would be a good idea to ask the user something like "in order to protect you from ... Noscript needs to periodically connect to ... to look up your public IP, allow?"
I am aware of one such service
http://www.dyndns.com/developers/checkip.html.
To maximize privacy it would be good to strip all headers making as plain and generic an http request as possible.