Rebinding Attacks Persist With Spotty Browser Defenses

Rebinding Attacks Persist With Spotty Browser Defenses

Browser companies and network-security vendors have created a variety of defenses for the three-decades-old attack technique known as DNS rebinding, but uneven acceptance and updated exploitation techniques, protection remains spotty.

DNS rebinding — which allows external malicious sites visited by an unsuspecting victim to access internal servers and services —is similar to cross-site request forgery, where an attacker can use a JavaScript component or Java applet to request resources from another site or network. DNS rebinding typically works by attracting a user to a malicious web site, and using the site’s content and a short time-to-live (TTL) to force the browser to send a new domain name system (DNS) request, to which the attacker’s site responds with an internal network IP address. The attack essentially allows an attacker to use a victim’s browser to send requests to servers and devices on the internal network.

The attack, however, can be made harder to execute with a variety of defenses, including enforcing the Same-Origin Policy by pinning the domain name in the browser, looking for anomalous requests through the targeted user’s DNS service, and adopting Local Network Access, a proposed web security standard. While these defenses work to make DNS rebinding attacks more difficult, they can be bypassed under some circumstances, NCC Group said in a recent report.

Because DNS rebinding exposes the attack surfaces of internal web applications to malicious websites, the attack could be useful against enterprise targets as a way to get access to credential data and resources hosted on internal networks, says Zhanhao Chen, a principal researcher for network security at Palo Alto Networks.

“In the real world, the attacker can build a website with DNS rebinding script and trick the victim to open it in their browser,” he says. “Once the malicious website is open on an employee’s browser, the attacker can manipulate or steal information from internal Web applications that are vulnerable.”

DNS Rebinding Attacks Face Difficult Defenses

Every browser does some form of DNS pinning, preventing the assigning of new network addresses for a specific web site or host name for a certain time period, such as an hour. DNS-based security services, such as Cisco’s Umbrella, also prevent anomalous changes in DNS data using suspicious response filters, which identify potential attacks and stop them.

The World Wide Web Consortium (W3C) has also created a draft of a security specification, Local Network Access, that blocks DNS-based attacks. Previously called “Private Network Access,” the approach puts up barriers between global, local, and internal addresses, such as the loopback address for the local host, and forces services to gain permission to explicitly access the local network.

In the latest analysis published by NCC Group, however, Roger Meyer, a technical director at NCC Group, argues that the defenses still are not complete. Using the address, which can access Linux and Mac OS systems’ internal IP address, for example, bypasses the current Local Network Access protections, Meyer says.

“Usually, that specific IP address is non-routable and should not work as an IP address —you should not be able to even use it for accessing anything, but it just works on Mac OS and Linux devices,” he says.

NCC Group opened up a bug report with Google, an early adopter of the Local Network Access specification, to get the issue fixed in the Chromium codebase, Meyer says.

Bolstering Defenses

DNS rebinding attacks are not often seen in the wild, which is one reason that browser makers have taken a slower approach to mitigating the issue. Another is that companies do not want to break internal applications, whose developers may rely on the ability to handle cross-origin requests.

If web application developers adopt the HTTPS encrypted web protocols as a general rule, they can prevent their application from being used in a DNS rebinding attack, says Palo Alto Networks’ Chen.

“This kind of mitigation depends on the developer of internal services, [so] it is not scalable,” he says. “As third-party web applications populate in both home and enterprise environments, it’s more difficult for the network owners to identify and fix all potentially vulnerable servers.”

While DNS rebinding is not as common as other widely-spread threats such as DNS tunneling, domain-generation algorithms, DNS amplification denial-of-service attacks, and DNS hijacking, many web applications remain vulnerable to DNS rebinding and attackers are actively exploiting it, Chen says. Palo Alto Networks noted that seven DNS-binding-related CVEs were released in 2021 and nine in 2022, and the company continues to see attack traffic in the wild.

Companies can help bolster their defenses by using DNS services that detect attacks and help remote employees protect their at-home environments. Because an attacker needs to either know information about the victim’s environment, or know they are using common devices or applications, those common services should be hardened against attack, NCC Group’s Meyer says.

“There are ways to discover if there are vulnerable services on the network or on employee devices, so the company could scan the network to find those vulnerable services,” he says. “There are intrusion detection systems or other kinds of security software that can look for services listening on developer machines or any other employees’ systems, and any services that are listening on localhost are potentially vulnerable to DNS rebinding.”