Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Saving Private Networks from DNS Rebinding

In private networks, web services are kept isolated from the outside online world. Still, cybercriminals can manage to compromise internal networks by abusing web-based consoles under a technique called DNS rebinding. It is a method that exposes the attack surface of internal web applications to malicious websites after being launched on victims’ browsers.
To understand how private networks are penetrated, let’s understand how DNS rebinding works on modern browsers, such as Chrome and Firefox.

How does DNS rebinding work?

Popular browsers employ same-origin policy wherein various resources such as JavaScript, images, and CSS are loaded from the same server to run a web application. However, it has been found that attackers can use DNS rebinding to bypass this and allow cross-origin requests.

  • The policy spots different origins of requests (e.g. same server as itself or other) with a combo of URI scheme, port, and hostname. Among these components, browsers use hostnames to identify different servers on the internet. However, hostnames are not bound to network devices and are resolved to IP addresses by DNS. 
  • IP addresses are given to devices statically or dynamically. As domain owners have full control over DNS records, they can resolve hostnames to arbitrary IP addresses. DNS rebinding abuses this privilege.
  • After a victims’ web browser loads the malicious payloads from the attacker’s server, attackers can rebind their hostnames with their internal IP addresses redirecting to the target servers.

Private networks penetration

According to researchers from Palo Alto Networks’ Unit 42, it starts with fooling victims into opening malicious websites with social engineering tactics (e.g. phishing emails and cybersquatting).

  • After launching a malicious site on victims’ browsers, attackers look for private IP addresses and ports to host vulnerable services prior to launching the DNS rebinding attack.
  • Open ports provide details regarding exposed web applications behind IP addresses. Moreover, using the WebRTC method, malicious websites can scan the open web services inside local networks.
  • After locating the targeted services, an attacker’s website can launch the DNS rebinding attack inside an iframe. 
  • The first request obtains the rebinding payload from a malicious hostname. This attack script continues to trigger repeated resolution for hostname till it rebinds to the targeted IP address. Then iframe can communicate continuously with the internal service without the victim’s knowledge.

Use in real-world attacks

The DNS rebinding attack can use victims’ browsers as a proxy to expand the attack surface to private networks, as demonstrated by the researchers via a POC attack.

  • It has been used to practically penetrate an open-source DNS rebinding platform known as Singularity.
  • Researchers launched an RCE payload of Singularity in the simulation environment. They used it to target the Rails framework, in which the PUT APIs allow the users to run arbitrary system commands on the server. 
  • Any web application using this API will be required to generate a new token during runtime, and it is impossible to guess the valid API endpoint without reading the server response.
  • However, after executing DNS binding, the Singularity RCE payload can obtain the token, and use it to reconstruct any desired URL.

The many workarounds

There are several protective methods in practice today — Browser-based DNS pinning method; DNS-based using DNS caching software; Server-based mitigation implementing HTTPS communication on private services and; real-time DNS rebinding detection.

Ending notes

DNS rebinding technique is a serious threat. Web browser vendors, web application owners, and DNS resolvers need to apply appropriate protection strategies to ensure security against such threats.

Source: https://cyware.com/news/saving-private-networks-from-dns-rebinding-10cf15e6

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO