-
Notifications
You must be signed in to change notification settings - Fork 138
[Announcement Blog Post] Singularity of Origin: A DNS Rebinding Attack Framework
Note: This was the announcement blog post published on 17 August 2018.
Singularity of Origin is a robust and easy-to-use tool to perform DNS rebinding attacks. It consists of a DNS and a web server, a web interface to configure and launch an attack, and sample attack payloads.
In a DNS rebinding attack targeting a web application or API, the attacker controls a web page or web server, and a DNS domain. The attacker convinces a victim, possibly via social engineering, to visit the attacker's web site. The attacker's DNS server responds to the browser's initial query for the IP address of the attacker-controlled domain web server with the address of the attacker's malicious web server.
Upon connection to the attacker web server, the browser fetches and executes an attacker-written JavaScript file that has been included on the page. This script is designed to continuously poll a web page to detect when it is no longer talking to the attacker domain but instead the victim.
After a while, the DNS cache entry for the attacker domain expires, prompting the browser to make another request for the domain. This time, the attacker domain responds with the IP address of the target application, which may be a vulnerable service bound to localhost on the victim user's machine or a vulnerable service on the internal network to which the victim user's machine has access. The attacker's malicious script can now fully interact with the victim application. This allows the attacker to perform arbitrary requests to the target interface and read its responses.
During recent security assessments, we’ve seen applications running on the localhost interface or exposing services on an internal network without authentication. This includes Electron-based applications or applications exposing Chrome Developer Tools and other various debuggers.
Exploiting such services is typically straight forward, but it takes a substantial effort to implement an attack in the context of a security assessment. There are tools available to exploit DNS rebinding vulnerabilities but they pose a number of challenges including the lack of support or documentation. They sometimes do not even work, are very specific and/or do not provide a full exploitation stack, requiring much effort to assemble and integrate all the missing bits and pieces. Furthermore, some of our customers are still unaware or unsure of the nature and potential adverse impact of DNS rebinding vulnerabilities or do not implement appropriate controls to prevent them.
Singularity aims to provide a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks, and to raise awareness on how they work and how to protect from them. Using Singularity, we were able to significantly reduce the effort to develop proof of concept exploits for DNS rebinding vulnerabilities (down to approximately an hour on average) by using sample payloads included and can demonstrate these to our customer using a simple interface.
Singularity provides a complete DNS rebinding attack delivery stack:
- Custom DNS server that allows rebinding the DNS name and IP address of the attacker's web server to the target victim machine's address
- HTTP server to serve HTML pages and JavaScript code to targeted users and to manage the attacks
- Several sample attack payloads, ranging from grabbing the home page of a target application to performing remote code execution. These payloads can be easily adapted to perform new and custom attacks.
Singularity supports the following features:
- Supports concurrent users.
- Provides several DNS rebinding strategies, including sequential mapping from the attacker to the target IP address and random mapping, to minimize the impact of IDS/IPS interfering with the attack.
- A number of technical controls to maximize the reliability and speed of attacks:
- Disabling HTTP keep alive, caching, DNS prefetching.
- Aggressive DNS response TTLs.
- Option to use DNS CNAME instead of A records to evade several DNS filtering solutions.
- Ability to allocate HTTP servers at startup or dynamically thereafter:
- A convenience feature to avoid restarting Singularity to listen on a different HTTP port.
- To lay the ground work to attack vulnerable ports discovered after a scan.
Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the README file on the GitHub page for detailed instructions on how to setup and run Singularity: https://github.com/nccgroup/singularity
A test instance is temporarily available for demo purposes at http://rebind.it:8080/manager.html.
DNS rebinding attacks can be prevented by validating the "Host" HTTP header on the server-side to only allow a set of whitelisted values. For services listening on the loopback interface, this set of whitelisted host values should only contain localhost and all reserved numeric addresses for the loopback interface, including 127.0.0.1. For instance, let's say that a service is listening on address 127.0.0.1, TCP port 3000. Then, the service should check that all HTTP request "Host" header values strictly contain "127.0.0.1:3000" and/or "localhost:3000". If the host header contains anything else, then the request should be denied.
Depending on the application deployment model, you may have to whitelist other or additional addresses such as 127.0.0.2, another reserved numeric address for the loopback interface.
For services exposed on the network (and for any services in general), authentication should be required to prevent unauthorized access.
Filtering DNS responses containing private, link-local or loopback addresses, both for IPv4 and IPv6, should not be relied upon as a primary defense mechanism against DNS rebinding attacks. Singularity can bypass some filters in certain conditions, such as responding with a localhost CNAME record when targeting an application via the Google Chrome browser for instance.
Singularity is a DNS rebinding attack framework to facilitate the exploitation of web services exposed on the localhost interface or on an internal network. We plan to support this tool and continue to add features and payloads. Singularity is open source and is available for download on the NCC Group GitHub repository: https://github.com/nccgroup/singularity
Published date: 17 August 2018
Written by: Gerald Doussot and Roger Meyer