Professional Documents
Culture Documents
SOHO RouterSecurity?
DNS Rebinding
Limited attack
Rebinding to a Public IP
Target IP:
Attacker IP:
Attacker Domain:
2.3.5.8
1.4.1.4
attacker.com
1.4.1.4
2.3.5.8
Rebinding to a Public IP
What is the IP address for
attacker.com?
1.4.1.4
2.3.5.8
Rebinding to a Public IP
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
Rebinding to a Public IP
GET / HTTP/1.1
Host: attacker.com
1.4.1.4
2.3.5.8
Rebinding to a Public IP
<script></script>
1.4.1.4
2.3.5.8
Rebinding to a Public IP
GET / HTTP/1.1
Host: attacker.com
1.4.1.4
2.3.5.8
Rebinding to a Public IP
TCP RST
1.4.1.4
2.3.5.8
Rebinding to a Public IP
GET / HTTP/1.1
Host: attacker.com
1.4.1.4
2.3.5.8
Rebinding to a Public IP
<html></html>
1.4.1.4
2.3.5.8
Rebinding to a Private IP
Target IP:
Attacker IP:
Attacker Domain:
192.168.1.1
192.168.1.1
1.4.1.4
attacker.com
1.4.1.4
Rebinding to a Private IP
What is the IP address for
attacker.com?
192.168.1.1
1.4.1.4
Rebinding to a Private IP
1.4.1.4
192.168.1.1
192.168.1.1
1.4.1.4
Rebinding to a Private IP
GET / HTTP/1.1
Host: attacker.com
192.168.1.1
1.4.1.4
Rebinding to a Private IP
<html></html>
192.168.1.1
1.4.1.4
Local Address
Foreign Address
tcp
0 *:80
*:*
LISTEN
tcp
0 *:53
*:*
LISTEN
tcp
0 *:22
*:*
LISTEN
tcp
0 *:23
*:*
LISTEN
State
IP Stack Implementations
eth1
192.168.1.1
eth0
2.3.5.8
eth1
192.168.1.1
eth0
2.3.5.8
eth1
192.168.1.1
eth0
2.3.5.8
eth1
192.168.1.1
eth0
2.3.5.8
Traffic Capture
End Result
2.3.5.8
2.3.5.8
1.4.1.4
attacker.com
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
2.3.5.8
1.4.1.4
Pros:
Cons:
Affected Routers
Asus
Belkin
Dell
Thompson
Linksys
ActionTec
Rebind
Target IP:
2.3.5.8
Rebind IP:
1.4.1.4
Attacker Domain: attacker.com
2.3.5.8
1.4.1.4
Rebind
Rebind
Rebind
What is the IP address for
attacker.com?
2.3.5.8
1.4.1.4
Rebind
1.4.1.4
2.3.5.8
1.4.1.4
Rebind
GET /init HTTP/1.1
Host: attacker.com
2.3.5.8
1.4.1.4
Rebind
Location: http://wacme.attacker.com/exec
2.3.5.8
1.4.1.4
Rebind
What is the IP address for
wacme.attacker.com?
2.3.5.8
1.4.1.4
Rebind
1.4.1.4
2.3.5.8
2.3.5.8
1.4.1.4
Rebind
GET /exec HTTP/1.1
Host: wacme.attacker.com
2.3.5.8
1.4.1.4
Rebind
<script></script>
2.3.5.8
1.4.1.4
Rebind
GET / HTTP/1.1
Host: wacme.attacker.com
2.3.5.8
1.4.1.4
Rebind
TCP RST
2.3.5.8
1.4.1.4
Rebind
GET / HTTP/1.1
Host: wacme.attacker.com
2.3.5.8
1.4.1.4
Rebind
<html></html>
2.3.5.8
1.4.1.4
Rebind
GET /poll HTTP/1.1
Host: attacker.com:81
2.3.5.8
1.4.1.4
Rebind
2.3.5.8
1.4.1.4
Rebind
Rebind
GET http://2.3.5.8/ HTTP/1.1
2.3.5.8
1.4.1.4
Rebind
GET /poll HTTP/1.1
Host: attacker.com:81
2.3.5.8
1.4.1.4
Rebind
GET / HTTP/1.1
2.3.5.8
1.4.1.4
Rebind
GET / HTTP/1.1
Host: wacme.attacker.com
2.3.5.8
1.4.1.4
Rebind
<html></html>
2.3.5.8
1.4.1.4
Rebind
POST /exec HTTP/1.1
Host: attacker.com:81
<html></html>
2.3.5.8
1.4.1.4
Rebind
<html></html>
2.3.5.8
1.4.1.4
Rebind
Demo
UPnP
HNAP
Am I Vulnerable?
End-User Mitigations
Interface binding
Firewall rules
Routing rules
Disable the HTTP administrative interface
But be warned
Conclusion
Q&A
Rebind project
http://rebind.googlecode.com
Contact
heffnercj@gmail.com
References
http://www.youtube.com/watch?v=cBF1zp8vR9M
http://crypto.stanford.edu/dns/dns-rebinding.pdf
http://www.cs.princeton.edu/sip/pub/oakland-paper-96.pdf
https://www.blackhat.com/presentations/bh-usa07/Byrne/Presentation/bh-usa-07-byrne.pdf
http://www.jumperz.net/index.php?i=2&a=3&b=3
References
RFC 1122
http://www.faqs.org/rfcs/rfc1122.html
http://en.wikipedia.org/wiki/Same_origin_policy
http://seclists.org/bugtraq/2001/Mar/42
p. 218 219