Attacking Private Networks from the Internet with DNS Rebinding

NOTE: This research has been simultaneously released with a counterpart WIRED article on the subject by Lily Hay Newman.

What is DNS Rebinding?

How DNS Rebinding works

What’s Vulnerable?

Proof of concept DNS rebinding attack @ http://rebind.network

Google Home

Google Home Mini
UPDATE (06/19/2018): Craig Young's simultaneous and independent research on this vulnerability was disclosed yesterday, just ahead of this post. He actually created a PoC for the geolocation attack scenario that I described above, but never implemented! His work, and Brian Kreb's commentary on it are both excellent 👏👏👏.I notified Google about this vulnerability when I discovered it in March and again in April after receiving no response. According to Kreb's post, Young reported the bug to Google in May and his ticket was closed with "Status: Won’t Fix (Intended Behavior)." It wasn't until Krebs himself contacted Google that they agreed to patch the vulnerability. Google is expected to release a patch in mid-July 2018.

Sonos WiFi Speakers

Sonos Play:1
UPDATE (06/19/2018): Sonos has published a statement along with this public release; "Upon learning about the DNS Rebinding Attack, we immediately began work on a fix that will roll out in a July software update."

Roku

RokuTV
UPDATE (06/19/2018): Roku has released a statement along with this public release; “After recently becoming aware of the DNS Rebinding issue, we created a software patch which is now rolling out to customers. Note that any potential exploitation of this vulnerability poses no security risk to our customers’ accounts, our channel partners’ content security or the Roku platform.”

Radio Thermostat

Radio Thermostat CT50

WiFi Routers

The Walled Garden Is a Lie

Protecting against DNS Rebinding

Consumers

Developers

Tooling & Details

Whonow DNS Server

# respond to DNS queries for this domain with 34.192.228.43 the first
# time it is requested and then 192.168.1.1 every time after that.
A.34.192.228.43.1time.192.168.1.1.forever.rebind.network
# respond first with 34.192.228.43, then 192.168.1.1 the next five
# times, and then start all over again (1, then 5, forever…)
A.34.192.228.43.1time.192.168.1.1.5times.repeat.rebind.network
# dig is a unix command for making DNS requests
dig A.10.10.10.50.forever.rebind.network
;; QUESTION SECTION:
;10.10.10.50.forever.rebind.network. IN A
;; ANSWER SECTION:
10.10.10.50.forever.rebind.network. 1 IN A 10.10.10.50
Whonow public server output

DNS Rebind Toolkit

🌐🔗 Links & Thanks 👏

--

--

--

Artist | Programmer | Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

“Stylish” Browser Add-on Falls to Big Data Harvesting

SQL injection UNION attack, determining the number of columns returned by the query

Lapsus$ Ransomware Group and Okta Breach

Who is being left out of the Privacy conversation?

Adversary Quest 2021 (Continued)

Learn Through Play: Following the Path of a Bug Hunter

First Cyber Security Conference

Sam and System Registry Keys

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brannon Dorsey

Brannon Dorsey

Artist | Programmer | Researcher

More from Medium

How to discover the PwnKit vulnerability and validate your readiness

Detail Description about SPF Records

IAT-Hooking Bypass

Container breakout: CAP_SYS_ADMIN via Creating a cgroup and using unshare utility