Artur Bergman wrote about an exploit vector called “DNS rebinding” over on O’Reilly Radar that’s a must-read. Using DNS rebinding, an external website can use your browser’s Javascript or Flash environment to act as a bridge between the external server and any IP on your internal network. This works even for unaddressable IPs such as those in the 10.0.0.0 range!

Normally, the security mechanisms in your browser restrict any communications to the same host that served the web page. So, if you visit badsite.com, the javascript in that page will only be able to communicate with badsite.com. Any code on that site that attempts to pull data from any other address will return an error, because it violates this “same origin” policy.

How DNS Rebinding Works
DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

  1. You connect to abcde.badsite.com, which resolves to IP 1.2.3.4 with a very short TTL
  2. 1.2.3.4 delivers some Javascript code to your browser to execute in 15 seconds
  3. The DNS server in control of *.badsite.com immediately points abcde.badsite.com to 10.0.0.1
  4. 15 seconds later, the Javascript on your browser connects to abcde.badsite.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 10.0.0.1
  5. The DNS server resets abcde.badsite.com to 1.2.3.4 and after some period of time, your browser reconnects and sends 1.2.3.4 its findings

With Flash, It Gets Even Better
So far, with Javascript, a nefarious attacker now has the ability to scan and crawl websites on your internal network and report its findings back to the attacker’s server. You could imagine this being triggered via a popup and then repositioned off the screen where it might go unnoticed for some time. This is a pretty big deal, no doubt, but with Flash 9’s Socket functionality, it’s only the tip of the iceberg.

Flash 9 adds a Socket library to the developer’s toolkit. So instead of the limited web crawling payload, a small flash movie can be sent to the client which can do a full network scan of your internal network, send spam through your corporate SMTP server, or even serve as a general purpose VPN bridge right through your firewall.

Wow.

Defending Against DNS Rebinding
There have been a number of suggestions made as far as defending your network against this kind of attack, including disabling the Flash plugin, using a personal firewall to restrict browser access to ports 80 and 443, and making sure all your web sites have no default virtual host, but instead require a valid Host header.

It seems like the real moral of the story here, though, is not to be lured into using a Firewall and unaddressable IPs as your only line of defense. This means keeping machines patched, not using IP address-based authentication, and, in general, presuming that the attacker can obtain access to your internal network.

References:
Your Browser is a TCP/IP Relay – Link
Flash DNS Rebinding DEMO (scan a host on your network) – Link
Protecting Browsers from DNS Rebinding Attacks – Link