State of DNS Rebinding Attacks & Singularity of Origin
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48374 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 27109 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
Direct numerical simulationState of matterMathematical singularityMathematical singularityDirect numerical simulationDomain nameSoftware frameworkOcean currentState of matterComputer animation
00:46
Direct numerical simulationDefault (computer science)Proxy serverComputer networkService (economics)MetadataInstance (computer science)Cache (computing)Port scannerMathematical singularityServer (computing)Interactive televisionControl flowHookingIntelComputer architecture2 (number)AreaProxy serverDirect numerical simulationWeb browserSoftwareExploit (computer security)Server (computing)Computer wormInformation securityHookingMathematical singularityOperator (mathematics)Computer animation
01:44
Information securityMathematical singularityDirect numerical simulationCartesian coordinate systemThermische ZustandsgleichungMathematical singularityDirect numerical simulationSoftware developerKeyboard shortcutClient (computing)Information technology consultingOffice suiteAuthorizationIntegrated development environmentInformation securityInterface (computing)Computer animation
02:41
TwitterLocation-based serviceVideo gameServer (computing)CodeDirect numerical simulationProduct (business)Interface (computing)Internet der DingePrice indexNumbering schemeTupleCompilation albumProxy serverEinbettung <Mathematik>Content (media)Link (knot theory)WebsiteInternetworkingIntranetWeb browserDependent and independent variablesQuery languageCache (computing)Direct numerical simulationEscape characterWeb 2.0Cartesian coordinate systemRAIDVideo game consoleIP addressLevel (video gaming)Sensitivity analysisGoodness of fitContent (media)Different (Kate Ryan album)Information securityCASE <Informatik>CodeGame controllerServer (computing)CuboidMultiplication signRow (database)Structural loadAuthenticationSoftwareProduct (business)Local ringDot productForm (programming)Dependent and independent variablesDemo (music)Coma BerenicesMessage passingWeb browserConnectivity (graph theory)Identity managementSoftware frameworkDomain nameWebsiteInterface (computing)Interactive televisionoutputDomain nameComputer animationSource code
06:25
Direct numerical simulationCache (computing)Demo (music)Direct numerical simulationoutput2 (number)Demo (music)Denial-of-service attackCache (computing)Home pageRouter (computing)CuboidResultantCASE <Informatik>Computer animationXML
06:59
Sign (mathematics)Router (computing)PasswordMathematical singularityDirect numerical simulationWeb pageComputer wormDefault (computer science)Video game consoleScripting languageTime domainStrategy gameCache (computing)Denial-of-service attackComputer configurationPrice indexContent (media)Rule of inferenceData managementMathematical singularityApplication service providerRoutingSubject indexingResultantUser interfaceLoginDependent and independent variablesCache (computing)Computer wormStrategy gameDenial-of-service attack2 (number)SI-EinheitenHome pageRouter (computing)Web 2.0Web pageProgram flowchart
07:52
BuildingDirect numerical simulationPlanningQuery languageWebsiteMathematical singularityQuery languageDirect numerical simulationPlanningCodeTrojanisches Pferd <Informatik>Hand fanComputer animation
08:45
Address spaceStrategy gameDirect numerical simulationTime domainServer (computing)Query languageMathematical singularityWeb browserIP addressMathematical singularityMultiplication signStrategy gameDirect numerical simulationNumberConnectivity (graph theory)Different (Kate Ryan album)Computer animation
09:48
Host Identity ProtocolWeb browserDirect numerical simulationServer (computing)Cache (computing)Mathematical singularityIP addressWeb browser2 (number)Cache (computing)Connected spaceMultiplication signDirect numerical simulationImplementationTrailValidity (statistics)Control flowComputer animation
10:52
Price indexToken ringEmailServer (computing)Subject indexingMathematical singularityToken ringConnected spaceEmailStrategy gameWeb browserDirect numerical simulationCodeComputer animation
11:34
Query languageIntegrated development environmentIntrusion detection systemDirect numerical simulationRandom numberStrategy gameAdditionDomain nameSequenceVector potentialInterrupt <Informatik>Inclusion mapWeb browserInstallable File SystemFaktorenanalyseCondition numberImplementationLocal ringGraphical user interfaceFingerprintFirewall (computing)Mathematical singularityBlock (periodic table)Service (economics)Address spaceMathematical singularityImplementationLink (knot theory)Direct numerical simulationFingerprintIP addressVirtual machine2 (number)Web browserLatent heatServer (computing)CodeSoftwareRemote procedure callStrategy gameWindowIntrusion detection systemArithmetic meanQuery languageSequenceMultilaterationGraphical user interfaceLoop (music)Proof theoryPhysical systemMultiplication signIntegrated development environmentDivisorMusical ensembleLevel (video gaming)BitInterface (computing)Exception handlingGroup actionCondition numberAddress spaceComputer animation
14:50
Direct numerical simulationServer (computing)Web browserQuery languageStrategy gameMathematical singularity2 (number)Musical ensembleFirewall (computing)Server (computing)IP addressRule of inferenceWeb browserLoop (music)Strategy gameMultiplicationType theoryMultiplication signQuery languageDirect numerical simulationRow (database)Level (video gaming)Computer animation
15:49
Direct numerical simulationLoop (music)Interface (computing)ConsistencyGoogle ChromeComputing platformAverageCache (computing)Multiplication signInstance (computer science)Reduction of orderComputing platformMultiplicationoutputDirect numerical simulationCache (computing)ConsistencyDemo (music)Type theoryLoop (music)Strategy gameSoftwareGraphical user interface2 (number)Arithmetic progressionLatent heatResultantQuery languageWeb browserAverageServer (computing)Web 2.0Flow separationComputer animation
16:54
Cache (computing)Direct numerical simulationPatch (Unix)Exploit (computer security)Web browserStrategy gameMeasurementCache (computing)Web browserDirect numerical simulationIP addressQuery languageServer (computing)Instance (computer science)Mathematical singularityConfiguration spacePerspective (visual)Table (information)Proxy serverProgram flowchartComputer animation
17:36
Proxy serverDirect numerical simulationMathematical singularityDefault (computer science)Block (periodic table)Local ringComputer networkService (economics)Address spaceServer (computing)Web browserRange (statistics)Configuration spaceLatent heatRemote Access ServiceMereologyInternetworkingProxy serverDirect numerical simulationMathematical singularityOpen sourceAuditory maskingBlock (periodic table)Default (computer science)Server (computing)IP addressDependent and independent variablesParameter (computer programming)Configuration spaceSoftwareGraphical user interfaceAddress spaceFreewareLocal ringRange (statistics)Router (computing)Set (mathematics)RoutingOpen setImplementationComputer animation
19:54
Sheaf (mathematics)Address spaceRoutingMeta elementDirect numerical simulationDependent and independent variablesBlock (periodic table)Mathematical singularityProxy serverIP addressDependent and independent variablesServer (computing)Domain nameRow (database)Direct numerical simulationWikiDot productDomain nameBlock (periodic table)Canonical ensembleLocal ringGraphical user interfaceAddress spaceMathematical singularityComputer animation
20:40
Address spaceTime domainCanonical ensembleDirect numerical simulationBlock (periodic table)Dependent and independent variablesServer (computing)Local ringProxy serverWikiGrass (card game)RankingDirect numerical simulationDependent and independent variablesBounded variationLocal ringBlock (periodic table)Mathematical singularityProxy serverExploit (computer security)Web browserSoftwareHookingSoftware frameworkImage resolutionGroup actionCanonical ensembleServer (computing)IP addressRow (database)Coma BerenicesWikiDomain namePlastikkarteDomain nameComputer animation
21:40
ComputerDirect numerical simulationCanonical ensembleDependent and independent variablesBlock (periodic table)Proxy serverSheaf (mathematics)Computer networkHookingControl flowIntegrated development environmentOperations researchWeb browserPhysical systemMathematical singularityService (economics)Mathematical singularityDependent and independent variablesDirect numerical simulationWeb browserSoftware frameworkSoftwareComputer architectureExploit (computer security)Computer animation
22:28
Web browserConfiguration spaceOperations researchMathematical singularityService (economics)Direct numerical simulationIntegrated development environmentComputer networkPhysical systemProxy serverCodeSoftware frameworkFrame problemMathematical singularityWeb browserDrill commandsIntegrated development environmentCartesian coordinate systemProxy serverCross-site scriptingServer (computing)Normal (geometry)Level (video gaming)Point (geometry)Operating systemDirect numerical simulationCodeBinary codeFunctional (mathematics)Computer animation
23:23
Server (computing)Web browserMathematical singularityArchitectureProxy serverNetwork socketWeb 2.0Mathematical singularityServer (computing)Cartesian coordinate systemWeb browserDirectory serviceCodeLevel (video gaming)Interface (computing)Operator (mathematics)Electronic mailing listConnected spaceSystem callStructural loadCodeNormal (geometry)Computer animation
24:33
Codierung <Programmierung>Dependent and independent variablesCommunications protocolWeb browserProxy serverToken ringHTTP cookieBackupDirect numerical simulationInterface (computing)Mathematical singularityTime domainServer (computing)Slide ruleComputer configurationAuthenticationAuthorizationCommodore VIC-20Interface (computing)Communications protocolMathematical singularityWeb browserNetwork socketWeb 2.0Cartesian coordinate systemDomain nameHTTP cookieDependent and independent variablesLengthServer (computing)CuboidLink (knot theory)Group actionBackupCodeNumberParameter (computer programming)Different (Kate Ryan album)Token ringAuthenticationCASE <Informatik>Software testingType theoryDirect numerical simulationConstructor (object-oriented programming)Computer architectureLevel (video gaming)Message passingSlide ruleProxy serverComputer configurationElectric generatorComputer animation
27:41
HookingPrice indexToken ringControl flowDirect numerical simulationCache (computing)Demo (music)BuildingView (database)Queue (abstract data type)Domain nameComputer iconTime domainCASE <Informatik>HookingDemo (music)Game controllerWeb browserInstance (computer science)Real numberClient (computing)Computer animation
28:20
Client (computing)BuildingView (database)Time domainDomain nameQueue (abstract data type)Computer iconComputer wormDirect numerical simulationMathematical singularityComputer configurationCore dumpDefault (computer science)Video game consoleScripting languageMetadataGraphical user interfaceControl flowHookingStrategy gameDenial-of-service attackCache (computing)Price indexToken ringData typeExecution unitWeb pageClient (computing)Web pageWeb browserData managementMathematical singularityInterface (computing)HookingGame controllerComputer worm2 (number)Computer animation
28:57
Client (computing)Domain nameQueue (abstract data type)BuildingComputer iconEmailData typeAddress spaceToken ringPrice indexContent (media)LengthDependent and independent variablesControl flowComputer networkCross-site scriptingComputer fontComputer wormCache (computing)Message passingNormed vector spaceAsynchronous Transfer ModeWeb pageInstance (computer science)InternetworkingAddress spaceMathematical singularityUniform resource locatorMessage passingContext awarenessWeb browserPower (physics)Server (computing)Raw image formatWeb 2.0Point (geometry)Network socketComputer animation
30:05
Direct numerical simulationComputer-generated imageryCommunications protocolDependent and independent variablesService (economics)Latent heatMathematical singularityAuthenticationFreewareVirtual machineGraphical user interfaceAddress spaceServer (computing)Sample (statistics)Mathematical optimizationComputer wormPersonal digital assistantStrategy gameDefault (computer science)Cache (computing)Computer configurationWeb browserWikiGUI widgetComputer networkData modelPhysical systemAssembly languagePlot (narrative)Router (computing)Information securityTime domainLocal ringInterior (topology)Interface (computing)Data dictionaryDomain nameInstance (computer science)IP addressDependent and independent variablesBitDirect numerical simulationServer (computing)Web 2.0Computer wormIntegrated development environmentVirtuelles privates NetzwerkFirewall (computing)Mathematical singularityMultiplication signCommunications protocolComputer fileWikiElectronic mailing listMathematical optimizationSocket-SchnittstelleSoftwarePower (physics)Local area networkExploit (computer security)Cache (computing)Endliche ModelltheorieData dictionaryOpen sourceMessage passingContext awarenessSampling (statistics)Computer configurationVulnerability (computing)EmailLeakPoint (geometry)Game controllerStack (abstract data type)Web browserOpen setPhysical systemInterface (computing)Router (computing)Default (computer science)Classical physicsBound stateLatent heatResultantInformation securityGraphical user interfaceLimit (category theory)Letterpress printingPresentation of a groupStrategy gameSource codePopulation densityProxy serverComputer animation
36:09
HTTP cookieEmailCoroutineServer (computing)Service (economics)Mathematical singularityGraphical user interfaceMetadataDebuggerInstance (computer science)Computer wormAugmented realityStructural loadDirect numerical simulationInternet service providerRouter (computing)AuthenticationInstance (computer science)Server (computing)System administratorWebsiteAuthenticationVideo game consoleComputer wormEmailDomain nameDirect numerical simulationIP addressCartesian coordinate systemTransport Layer SecurityMathematical singularityBlogOnline helpMetadataRouter (computing)Web browserElectronic mailing listLine (geometry)Keyboard shortcutState of matterNumberInternet service providerLocal ringDemo (music)Address spaceComputer animation
39:01
Direct numerical simulationPort scannerService (economics)Demo (music)Exploit (computer security)Server (computing)Demo (music)Computer wormProcess (computing)AutomationInstance (computer science)Local ring2 (number)Mathematical singularityWeb browserData managementUser interfaceInterface (computing)Computer animation
39:46
Video game consoleDirect numerical simulationAddress spaceDependent and independent variablesWeb pageStrategy gameScripting languageSource codeComputer networkError messageoutputCore dumpServer (computing)Computer wormServer (computing)Scripting languageWeb pageVideo game consoleCalculationMultiplication signCodeRemote procedure callData managementUser interfacePasswordDemo (music)Direct numerical simulationError messageComputer animation
41:04
Computer networkLocal ringDirect numerical simulationScripting languageMeta elementWeb pageVideo game consoleSoftware developerService (economics)Insertion lossControl flowConfiguration spaceStrategy gameAddress spaceServer (computing)MathematicsTime domainDefault (computer science)Demo (music)Cache (computing)Web browserGraphical user interfaceSynchronizationRandom numberSheaf (mathematics)Computer wormMathematical singularityFrame problemFunction (mathematics)Intrusion detection systemComputing platformSelf-organizationPort scannerLogarithmDependent and independent variablesServer (computing)Computer wormSlide ruleConfiguration spaceAddress spaceUniform resource locatorStrategy gameCASE <Informatik>Set (mathematics)Scripting languageSource codeXML
41:36
Server (computing)Direct numerical simulationAddress spaceMathematical singularityService (economics)Web pageCodeSample (statistics)Graphical user interfaceProxy serverWeb browserControl flowHookingComputer networkWeb pageUniform resource locatorMathematical singularityXMLComputer animationLecture/ConferenceMeeting/Interview
Transcript: English(auto-generated)
00:00
Let's get started. Uh please give Gerald and Roger a very great DEFCON welcome. Hello DEFCON. Hello everybody. Um today we're going to uh discuss the current state of
00:21
DNS rebinding including attack- recent attack and prevention technique. We will also discuss um uh uh tool uh singularity of origin so DNS rebinding attack framework and how it's incorporates this new um technique and how you can use them today. So I contribution in the domain of DNS rebinding are um twofold. Uh the new tool singularity uh it
00:46
has everything you need to perform DNS rebinding. It is reliable, it is performant, it has built in payload for uh command services and can perform uh automatic service detection and exploitation. Um the second area of contribution uh is uh in the research of uh
01:08
technique to improve the speed of DNS rebinding and how to bypass command DNS rebinding protection. So um our talk will be articulated around um uh the new tool and uh the
01:22
techniques uh intake operates. And uh we will in- include a customary um uh refresher on the basic of uh DNS rebinding. We will also discuss uh uh an architecture we have implemented in singularity which allow you to interactly- interactively browse um a hooked
01:40
browser uh internal network. So who are we? We are Gerald Lusso and Roger Meyer. We are security consultants at NCC group. Uh we are attached to the San Francisco office. And uh we are the authors of uh singularity of origin. Roger. So why should you care about
02:03
DNS rebinding? Most developers understand that when they bind their application to all interfaces that they expose themselves to remote access and this is not a good idea. So what do they do to fix this? They bind the application to the local host. They think
02:21
only trusted users can access, it's a trusted environment so they don't need authentication, right? And then all these DNS rebinding issues happen. The EOS cryptocurrency wallet is vulnerable. Google Home, Roku, Sonos speakers are vulnerable. The Geth, Ethereum client was vulnerable. Redis, Memcached, Elasticsearch, the Kubernetes
02:43
dashboard on Miikube was vulnerable to DNS rebinding allowing RCE and VM escape. The Rails web console was vulnerable. We see more and more applications exposing uh web uh popularity of frameworks such as Electron. The rise of IOT devices exposing sensitive
03:06
interfaces on internal networks without authentication will make this even worse. We would also like to clear up certain misconceptions such that DNS rebinding is slow and can be solved by out of the box DNS filtering products or services which is not the
03:23
case. We would like to start with a quick refresher on how DNS rebinding works. The origin is consists of the scheme, host, and port. 2 documents share the same origin if
03:41
they have the identical scheme, host, and port components. The same origin policy is an important security concept implemented in browsers that dictates how 2 different sites with different origins can interact with each other. Certain interactions are always allowed between all origins such as form submissions, links, redirects, content
04:04
embedding, but cross origin reads are typically not allowed. This is important for example if you're logged in to gmail.com and browse to an attacker controlled website, you don't want the attacker controlled code to be able to read your gmail messages. DNS
04:27
policy. We'd like to show you a visual walkthrough to make it easier to understand the concept. So on the left side we have the victim which is the browser. We have a target
04:42
service which can be a service on the victim's local host or on the internal network. We have an attacker which consists of a DNS server and a web server on this public IP. So on the right side we have the internet, on the left side we have the intranet. The victim can
05:01
access the target service without authentication and the attacker cannot directly reach the target service otherwise we wouldn't need DNS rebinding. So step 1, the victim browses to the attacker's website hosted on rebinds.it that's our domain name. We respond
05:21
with the DNS A record of the public IP address and load some javascript which keeps running in the victim's browser and waits until the DNS record expires. Once it expired, we make another request in the same origin. This time we respond with a different IP address. The
05:41
IP address of our target service 127.0.0.1. Notice that the origin rebind.it did not change, we did not violate the same origin policy. The browser will make this request and will allow the javascript to read the response and where we can exfiltrate it back to the
06:03
attacker. All of this is possible because we did not violate the same origin policy, it's still pointing to rebind.it, we only changed the IP address. This was a high level overview which omitted a lot of details. There are a lot of previous good research which you
06:22
can look at if you want to know more about the details. We would like to show you a first demo on iOS using Safari where we can achieve DNS rebinding in just 5 seconds using the cache flooding technique. In this case we will be exploiting a home router on
06:46
reading the index page and displaying the results in a javascript alert box for demo purposes. So this is Safari, we're going to router.asys.com, this is the target we're trying
07:01
to exploit. So now we're setting up the attack, we're going to the singularity manager web interface, we're setting the target host to router.asys.com, we're leaving the target port at port 80, we're setting the attack payload to a simple fetch get, we're using the first then second strategy, an interval of 1 second and we're enabling the cache
07:26
flooding technique. We're starting the attack, this only takes about 5 seconds and we display the results. Uh what we see here is the return of the index page which is just
07:40
redirect to the main login on ASP uh webpage but it shows that we were able to read the response from an internal system, the home router. Thank you Roger. Now that we have a
08:01
grasp on the basics of uh DNS rebinding uh we are going to explore how we made um uh DNS rebinding uh more reliable within singularity. So let's say that uh you are a fan of horse riding and uh you're trying to plan your next vacation and you found a website that
08:20
just tell you to do that um there's nothing wrong with this website um displayed prominently uh is a trojan horse picture. In fact uh the website was compromised and is running um a hidden high frame with singularity. So you connect to the website and you um download the malicious JavaScript from singularity and uh uh the code emits its first DNS
08:42
query. So what is in a query? Um as you can see the the the query is made of several components. These uh components encodes uh everything singularity needs to perform an attack. So first you have a start tag um then you have the attacker host IP address
09:01
where we run singularity. Then you have the target IP address or it can be a name as well. Followed by a session ID. Uh session allow for the uh use of concurrent uh users and uh targets. Then uh you have the DNS rebinding strategy. Singularity uh incorporates uh a
09:21
number of different DNS rebinding strategy. Here you can see uh FS first and second although known as a time varying attack. Uh this is the simplest and most reliable uh DNS rebinding strategy you can implement. Then you have the end tag and then you have the attacker domain. The one that you have ever purchased or um uh compromised. So um to
09:49
improve reliability you want to remove uh any uh HTTP performance enhancing technique that may impede DNS uh rebinding or stop it completely in its track. So um we try to
10:02
disable HTTP caching uh in all browsers implementation and uh intermediate cache to ensure that the browser uh get the fresh copies of all the resources. Uh we also instruct singularity to drop uh idle connection from browsers. So when it is time to uh rebind
10:21
against uh target IP address the uh browser doesn't maintain a connection to uh singularity. What about TTL value? Um most literature and other tools uh use uh a value of uh 1 second. Uh we tried 0 in the hope that um it will break stuff. It didn't. Uh 0 second
10:44
is a valid TTL value so we just stick with that. So how do we know that we have uh successfully uh rebinded against the target service? Um historically uh singularity used an index token in the HTML body. Um so if this index token is present um then
11:03
the JavaScript code knows uh it's still pointing against singularity. If this token is uh disappears on the next next fetch uh then it means that you have successfully rebinded. We recently moved to a custom HTTP header uh however the index token is still useful in a uh
11:21
one specific DNS rebinding strategy uh where we uh abruptly uh terminate the connection uh from singularity to the browser and the browser get confused. We will go into more details uh on this later. Something you need to consider as well is that uh you may uh encounter an environment uh where there is an IPS and IDS um and uh this IPS
11:44
IDS may emit their own uh spurious uh DNS queries when they see uh requests from uh the ta- the target browser. So it it means that you may receive uh uh IP address uh out of sequence when you make a DNS query uh um which um uh means that um the target browser will
12:06
never see the IP address of singularity only the targets so we'll never be able to download the code and uh perform DNS rebinding. So to address that we um have implemented a random DNS run uh uh rebinding strategy where um um uh we respond either with
12:24
the attacker IP address or the service um IP address uh which is the service IP address. There's a much slower technique in general but you could get lucky. So um we're now going to explore how we um improve the speeds uh um uh of DNS rebinding in uh in singularity. So the
12:43
first thing to know is that implementation details matter. Um the DNS uh rebinding speed will vary uh depending on the host implementation whether you use uh a Windows or Unix like environments uh operating systems such as um Linux or Mac OS. Uh we're going to browse a vendor uh IE, Edge, uh Firefox, Chrome and all the it's been off uh and Safari. The
13:07
target specification matters um whether you use uh uh a service you put you targeting a service that's bound to the loopback interface or uh uh on the private network or a remote public IP address. Obviously we just uh so that's uh uh external factor may impact
13:25
the speed such as the presence of an IPS and IDS. So just to illustrate uh DNS rebinding may take 40 plus minutes uh when uh uh using Edge uh and down to 3 seconds depending of what strategy you use. Uh singularity can automatically uh fingerprint to optimize
13:42
for speed uh in some condition. We will discuss this later. So the time varying attack uh uh singularity first and second is approximately 60 seconds on all browsers except for IE and Edge. Um we um there's another technique called multiple answers that we didn't
14:02
believe would work uh however uh one of our colleague Michael Roberts from NCC group uh created a a small proof of concept uh demonstrating that uh it was working on Windows when you specified uh an IP address of 127.0.0.1 and that we were achieving rebinding time of uh of 3 seconds once uh we implemented that. Uh however it didn't work with um the
14:26
same technique didn't work with uh Unix like machine uh such as Linux or um MacOS. However after a bit of digging when we specify uh uh target service IP address of 0.0.0 uh we achieve uh approximately 3 second um rebinding time. So now we have a solid and fast uh
14:45
DNS rebinding against all loop back bound uh services. Just to illustrate at a high level how the multiple answer rebinding strategy work. So the target browser will emit its DNS query uh to rebind at its uh where we run singularity as usual. Um instead of
15:03
responding um with the IP address of the attacker then uh the IP address of the service uh as we do for the time varying attack we respond with both record at the same time. So
15:21
uh the service uh and um uh to determine whether it's pointing against singularity or the targets. Uh then singularity is going to then implement at some stage uh a firm role um firewall rule that will abruptly block the traffic. This will force the browser uh to um
15:43
connect uh to the target service using the second IP address we provided earlier. So the multiple answer technique um our strategy work very well for loop back bound type of uh services. So if your service uh uh for instance for instance is listening on 127.0.0.1 but
16:03
we were getting inconsistent results for over target specification for instance on the uh private network uh where uh 1 out of 5 would uh succeed. Uh we implemented another technique called DNS cache flooding. Um this work very well in uh Google Chrome and uh Safari
16:23
and iOS platform. Uh you basically basically uh floods the cache of the browser with thousands of queries um and uh uh you can reduce vendor DNS rebinding time from 5 to 40 seconds which is a great progress over the average of 60 seconds. Uh Roger demo was using
16:42
this technique uh when we were using iOS and we got a rebinding time of 5 seconds. Um flooding the cache is performed in a separate web worker. So here you have a Chrome uh uh console and in blue uh you have your regular uh attempt to fetch uh uh resources to
17:01
determine whether um um we were pointing against the target service or not. And uh uh in the cache of the browser the DNS cache uh in an attempt to uh evict the IP address of the singularity server. Forcing then the browser to point to the service for instance 127.0.0.1.
17:25
So we have uh illustrated in this table some configuration and uh what can you expect uh uh from a uh DNS rebinding time perspective. Roger. Let's talk about DNS
17:40
rebinding protection bypasses. Using singularity we can bypass all known DNS rebinding protection such as those implemented in open source DNS servers unbound or DNS mask. We would like to emphasize that common recommendations and default configurations do not
18:01
provide complete protection. How do common DNS protections look like? Most solutions block certain DNS responses at the parameters so when they enter your internal network. Some tools block RFC 1918 private IP addresses such as 10 slash 0 192 dot 68 slash slash 0. Some
18:25
tools block local host IPs 127 slash 8. Some tools can be configured with which IP addresses you're using internally such if you're using public IPs on your internal network you can get those blocked. Some tools block the 0 slash 8 range. DNS mask and unbound are
18:46
two widely used open source DNS servers. They're used in tools such as PF sense, open WRT and certain home routers. There are also free public DNS services such as Cisco's open DNS which advertise that they have uh rebinding DNS rebinding protection
19:07
implemented. For open DNS it's called block internal IP addresses and that just blocks private IPs. DNS mask has a setting called stop DNS rebind which blocks private IPs, the
19:24
0 slash 8 range and the 127 slash 8 range. This does not block local host. We will talk about what we mean by local host in a minute. The unbound DNS server has a configuration setting called private address where you can configure internal IP address
19:43
range and this will then be blocked. This does not block the 0 0 0 0 IP, the 127 0 0 1 or the local host. Our first protection bypass is using this 0 dot 0 dot 0 dot 0 IP
20:00
address. This is a non-routable or invalid IP address but it works very well on Linux and Mac OS using Firefox and Chrome to access the local host. This bypasses protections that block DNS responses containing the IP address of 127 0 0 1 or the whole 127 slash 8
20:21
range. When we query singularity we can specify the target here so we can use the 0 dot 0 0 target and then the DNS response will be an A record pointing to 0 0 0 0. What if the DNS protection solution blocks all internal IP addresses? Then we can use C names.
20:44
Canonical name records are DNS records which map one domain name to another domain name. We can return a DNS C record instead of an internal IP address such as wiki dot ncc group dot com or Jenkins dot internal dot card dot com whatever a target is. This bypasses
21:03
protections that block DNS responses con on of private IP addresses. The local internal DNS server will then resolve the C name for us and you don't wanna block internal DNS resolution if you wanna use internal host names. When we query singularity we
21:23
specify the target here so instead of an IP address we specify wiki dot ncc group dot com and then the DNS response will be a C name pointing to wiki dot ncc group dot com. Or third bypass is a variation of the previous technique. We can use the C name of local
21:45
host. This bypasses protections that block DNS responses containing 127 0 0 1. This works well in Linux and um Mac OS. When we query singularity we specify local host here
22:01
and then in the response we just return a C name pointing to local host. Okay now we're going to uh discuss uh the architecture we implemented in uh singularity uh to uh browse the uh the victim internal network after a DNS rebinding. So tools such as beef the
22:26
browser exploitation framework and fire drill a DNS uh attack tool uh can use a hub browser to uh uh access uh targets uh which are not typically available directly from an attacker such as your own uh appliance or uh corporate environment assets either via uh
22:45
cross site scripting or DNS rebinding. So we know that uh beef uh require to the the attacker to configure uh its uh browser or operating system to use the beef application server uh to uh uh to uh avail of this uh functionality. Uh we don't know how fire drill uh
23:05
does it since the code uh and the binaries are not available. Uh we implemented the browsing of service in singularity uh without requiring the attacker to uh setting up its browser to use an HTTP proxy but instead just to uh point to singularity uh via uh
23:22
using normal HTTP requests. So the hi- at a high level once your um browser uh has been hooked um or the victim browser has been hooked uh the browser will make uh web socket connection uh to the singularity um application server and wait for instruction. The uh attacker will use is a browser to connect to singularity and uh uh
23:46
display the list of uh uh victims that's been hooked and select one to browse. So uh let's say you want to connect to the home directory of a service bound to 127.0.0.1. Uh
24:00
the attacker browser will emit a normal uh uh HTTP request to obtain the directory. The singularity application server will translate this into a web socket operation uh to fetch the resource. Um then the target browser using the singularity JavaScript codes will translate this web socket fetch operation into a normal uh fetch API call to uh the home
24:27
directory. Then the data will be sent back all the way uh back to the attacker browser sorry. At a low level we just customize the Golang ground tripper interface and we use uh the web socket plaintext protocol to package uh each fetch request and
24:44
response. Um since we use uh base64 encoding uh the size of the message is increased by four thirds of the original length of the message. Please note that you don't have to use uh a browser. You can use any uh user agent. You can use curl HTTP uh
25:01
inspecting proxy such as uh uh burp port swigger or wasp zap or SQL map and and so on. So when we implemented this architecture in singularity we uh we encountered a number of challenge. Uh the first assumption we made was that we didn't have to care about the cookies exchange between the victim browser and the victim service, the target service. Uh
25:25
however our first uh test case was duplicaty, a backup solution uh that was vulnerable to uh DNS rebinding and uh as you can see the code snippet here uh duplicaty is extracting C serve token from the cookie uh to generate links that
25:43
allow you to browse the duplicaty application and perform a number of action including running a backup. So singularity didn't work uh with that. So um we had to uh uh consume this cookie so we um we read them from the target browser and we transi-
26:02
transmit them to the singularity server over web socket and then the singularity application server set them uh on the attacker uh browser for the target domain uh that singularity uh as constructed. Um for HTTP only cookie uh we don't really care about them. Um they cannot be read by JavaScript uh so they cannot be used by JavaScript on the
26:24
attacker um browser. So we let the target the target browser handle uh them for us. Another challenge uh is that to be able to read a cookie uh when you perform a fetch request, a
26:43
fetch request uh and if your application require um uh HTTP authentication this is not going to work. And and why is that? This is illustrated in this slide. Um so let's say you have a service that require HTTP authentication and you issue the command uh fetch uh HTTP
27:02
1 to 7 dot 0 dot 0 dot 1 with the credentials includes, then authentication dialog box appears. Uh that will warn the user that something is amiss. So this is the command so we don't want that. Um however if you type the same command but you pass a different argument credentials omit then there's no there's no uh authentication dialog box
27:23
so the victim is none the wiser. So uh when uh we have cookie and HTTP authentication uh required then we forget about we actually don't transmit the the cookie to uh uh the attacker. Okay now that Gerald introduced us to this hook and
27:44
control feature we would like to show you how this works in a demo. For this demo we'll have two browsers. One is the victim, the other one is the attacker. In this case they will be both on the same machine but in a real world attack this does not have to be the
28:00
attacker can be anywhere. So the victim will have a Jenkins instance installed in the local host and the attacker will try to access this. So this is the victim chromium browser uh which has this Jenkins instance running listening in the local host. Now we're switching to the attacker this is the hooked uh victim clients which will show up
28:24
here so we reload the page and show it's currently empty there's nothing there. Switching back to the attacker sorry to the victim browser we're going to the singularity manager interface. We're setting the target to zero zero zero for local host. Target port is eighty eighty. We're using the hook and control attack
28:42
payload. We're using the multiple answers attack strategy. We're using one second interval. We're starting the attack. It only takes three seconds. The attack was successful. We're now we're switching back to the attacker. We're reloading the page and we can see this new victim session. So we click on it and we can now
29:05
browse the victim's Jenkins instance over the internet. So the attacker browsed this credentials endpoint. We're going back to the victim to show you the requests. The first
29:26
request is this slash credentials which the attacker was browsing to to show you how this looks like. Um we can see slash credentials. The remote address is zero zero zero for local host and the request URL is the origin still points to the attacker. We'd like to
29:50
point is how we send and exfiltrate the data back to singularity uh using web socket messages and that's how we can or the attacker can then browse to uh Jenkins
30:04
instance. Okay now we're going to discuss how to uh scan for vulnerable host and and services. So in the past there have been uh many very smart attempts to replicate uh
30:20
nmap uh behavior in the context of uh the browser but uh we've had the power of four sockets. So many of the solution uh we have looked at uh are either not completely reliable or do too much for our purpose. Uh for instance we don't care whether SSH port uh is open or not. Uh DNS rebinding is concerned uh with uh exploiting uh issue
30:44
with HTTP uh resources so far. Uh so the only thing we care about is uh does it speak HTTP. So we implemented a very uh simple solution that leverage uh modern um API and um and uh so it's uh uh including sorry a fetch abort uh for uh uh implementing a time out. So
31:06
um we distribute the the list of target we want to scan uh that includes IP address and uh uh ports uh across uh for web workers. We only fetch uh the resource header. Uh we don't bother with the the response uh body. Uh and we have uh out coded limit of 300
31:25
milliseconds uh before we move on onto a next target if we don't get set uh sufficient results. Um so the time out will obviously drive how fast you can scan uh a host or a whole network. It is fast for HTTP open port obviously and it's fast as well for
31:43
closed ports because if you if you emit you send a packet to uh a closed port the TCP IP stack of the targets will respond with a reset packet if nothing is listening on this port. Uh it is slower for firewall ports but because here the typically a firewall will drop any response so you don't know what's going on uh so the scan will uh wait 300
32:04
millisecond and then move on to another target. Uh and slow as well possibly for slow HTTP service and uh over protocol that are not handled by fetch. Um so uh you want to use a lower time out when you're scanning a LAN or fast HTTP service or uh you can use uh
32:22
higher time outs uh when you scan uh over a network uh uh make the one that I have uh high latency such as VPN. Over interesting bits and pieces uh we use the classic web RTC IP address leak to obtain uh the IP address uh the private IP address of the uh victim. When
32:43
available it works uh on Chrome and uh Firefox and we use this IP address to derive a subnet uh we can use to uh scan. We obviously pass the credentials omits to fetch so uh the victim uh is uh not made aware that uh a scan is on go on going and uh we currently
33:06
considering performing a second pass scan uh to identify uh slower HTTP service that we may have missed. So we have learned how uh we um made Singularity more reliable uh faster how
33:24
we can uh find uh vulnerable uh targets uh and services. Um now we're going to uh show you how uh you can implement all the above, orchestrate all the above and um perform
33:40
service detection and auto exploitation as a bonus. So Singularity provides a sample auto attack dot HTML file automation file. It is fully customizable and uh permits uh to leverage all the features we have discussed so far um including but not limited to uh you can specify uh specific uh exploitation payload for instance uh targeting a service like
34:05
Jenkins or you can ask Singularity to uh auto select the the payload based on the service it detected. You can out code your targets uh and ask you a Singularity to optionally detect more target maybe on the network. Uh same thing for ports. You can
34:21
specify a DNS a default DNS rebinding strategy and ask uh Singularity optionally to auto optimize and find the best strategy for you. And uh obviously you have all your options as I was putting the DNS cache uh visibly hiding activity and so on. Uh in the future we intend to uh implement more auto optimization so you don't have to read the
34:42
extensive wiki. So when you're designing your attack you want to mix and match uh different specification of the same targets. Uh for instance uh for local uh uh host bounds uh service uh specify 0 dot 0 dot 0 dot 0 local host as a CNAME or 127 dot 0 dot 0
35:03
dot 1. This will improve reliability uh the uh permit you to bypass um uh security controls and uh for speeds. Uh you can instruct Singularity to find and use the external IP address to exploit the internal interface um of wifi uh access points um and
35:23
routers um uh for uh device that use the weak end system model. I can only encourage you to refer back to the Defcon presentation, Defcon 18 uh in that regard to see how it works. And uh you want to do some homework uh using uh uh open source intelligence. Uh try to
35:42
figure um uh what is the naming convention for assets in a corporate network or even use a dictionary of service name and specify specify them as CNAME uh in your target uh list. For instance Jenkins dot internal dot cop dot com. This is likely going to pay off because a lot of uh uh service are uh still unauthenticated in a corporate environment. So we
36:05
mentioned that Singularity can uh do service detection as well. So um Singularity come with a number of attack payloads um uh that target services such as Ruby on Rails, the admin console, uh Amazon, uh AWS instance metadata and so on. And uh we recently added uh a
36:24
service detection routine uh that allow you to detect what service is running uh behind and try to deliver an appropriate payload. So for instance if uh you find that the service responds with uh a HTTP address that contains the value X Jenkins then Singularity uh will
36:42
figure out that's more more likely uh is using uh uh is facing uh Jenkins application instance. So when you select the automatic uh attack payloads Singularity will try to detect a service and uh deliver the appropriate payload it has. So um with our tool we
37:02
were trying to blur the line uh between origin and uh uh I think we have achieved that hence the name Singularity of origin. So how do you protect from um uh DNS rebinding attack? Uh you often hear uh comments or on blogs or uh recommendation to use DNS blacklists or to
37:23
use tentatively to use DNSSEC maybe or to use this DNS service provider or one of your colleague or friend uh bought this uh appliance that uh uh uh our router that uh uh state that it perf- it provides DNS rebinding protection. Well as we learned uh common
37:41
reason is not enough. Um it is hard to understand all the subtleties of DNS rebinding and no DNSSEC won't help you there. So Roger how do we protect from DNS rebinding? There are 3 proper ways to protect your service. One is to use TLS on your application including the service listening on local host. You can require authentication if the
38:05
attacker doesn't know the credentials they can't make a valid request. Or you could validate the host header for all incoming requests using a whitelist of trusted domain names such as local host or 127.001. Remember when we showed the origin in our last
38:26
demo it was still pointing to the attacker which won't be whitelisted. There is also a proposal called course RFC 1918 which would re- require a preflight course request for
38:42
websites hosted in a public IP address when they make a request to a private IP address. This is currently a draft and not shipped in any browser but it- this may prevent DNS rebinding in the browser. We have one last demo where we show you how to automate this
39:03
whole process. So previously the victim was browsing to the singularity manager interface where they had to configure everything which is uh not very realistic. So in this demo we'll show that the victim only has to browse to singularity. We start with a port
39:20
scan to detect services listening on the local host. We rebind to these discovered services in 3 seconds already detect the service listening for the payloads we have and launch the exploit right away. For this demo we have a rails console listening on the
39:43
Jenkins instance listening on port 8080. So this shows the manager web interface which we are not going to use. What we're going to use is this um auto attack demo uh page. So
40:01
browsing to the page we see that we detected port 8080 and 3000 we're launching DNS rebinding right away. The rebinding was successful. It detects- already detects the services. We uh um it's not showing. Let's go back one more time. It didn't update quite
40:27
well. It detected Jenkins right away um and it should detect alright slash. It detected Jenkins and here it's still rebinding and auto detecting but it doesn't seem to
40:46
update quite well. So for rails we have a remote code execution which launches the calculator and for Jenkins we just dump the plain text password stored in credentials to the console. We like to show you how the how the script looks like. The
41:06
configuration script. It's very simple. The auto attack script so we can define the rebinding strategy as here we use multiple answers. We use the attack payload automatic which automatically tries to detect the service. We specify the ports. Port 8080 and
41:25
3000 in this case only and we can specify which address to use. There are a few more settings but uh which we we don't need for you. You can get the slides including
41:40
your notes on this URL. You can get singularity or tool on our GitHub page with all these uh features and let us know if you have any questions. Thank you.