Grant private network access
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: litezeraw, Unassigned)
Details
Attachments
(1 file)
|
3.81 KB,
application/x-gzip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Steps to reproduce:
A scenario is like :
1 - Victime connect to www.fakewebsite.net
2 - www.fakewebsite.net reply with a iframe located on a host that himself control (eg: www.localarea.net)
3 - The first connect, www.localarea.net DNS A PTR point to a public host (eg: 8.8.8.80)
4 - When the iframe load, she call a python script who change the DNS A PTR for point to a private host (eg: the provider box, 192.168.1.1) and call setTimeout() for wait 60s
5 - when the 60s is over, a new DNS connection is made and the local arena ip adress is used
(if its not the good host its possible to get the network interface in javascript)
6 - Now the iframe www.localarea.net point to private host
Actual results:
That mean than we are in the context of www.localarea.net and its possible to read the content of the web service on the private host
Expected results:
Its seem to be a good idea if the web browser have a context manager that disallow a public website to point to local ressource by default.
|
||
Updated•6 years ago
|
The code source provided has been deployed on a archlinux on a remote public host meet the following requirement:
- php7.3.8
- apache2.4.39
- python3.7
- bind9.14
- a domain name
The file "www-private-network-intrustion.tgz" contain the dangerouse website and must be uncompressed under the web root directory.
eg:
/srv/http
Create a "tmp" directory under /srv/http
The php script write in this directory.
You must change the variable value of the javascript scripts.
The script "changeDNS.py" can be executed without args under the context of the root user otherwise it cannot restart "named".
The directory of this script have no impact.
the file "named.tgz" containt the bind configuration
named.conf must be stored into /etc
example.zone in /var/named
The ip address include in these scripts should be changed in accordance to your network.
When deployed,
Connect to the website with the web browser "main.html", the script do the remain
After sucess the "tmp" directory contain the output of the page "index.html" and "files.html"
|
|
||
Comment 2•5 years ago
|
||
This is a "DNS Rebinding" attack (https://en.wikipedia.org/wiki/DNS_rebinding). We had a short-lived pinning cache at one point, but I believe it was removed because any time short enough to prevent problems with legitimate sites was not longer than an attacker could wait to pull off the attack. I suppose we could have allowed overrides for non-private (rfc 1918) addresses, but in any case doesn't help any victims using IPv6. And in the corporate network case there are quite often "internal" sites that have static public IP addresses. Still, the rfc1918 addresses would help consumer-grade home routers.
The recommended defense against DNS Rebinding has been for servers to check the Host: header, and to use TLS so the browser can check the name in the certificate. Cheap home IoT equipment has still not gotten that memo.
A broader fix would be bug 354493 -- those connections are troublesome even without the rebinding aspect.
|
|
||
Comment 3•5 years ago
|
||
Not a true duplicate of bug 354493, but more direct prevention against DNS re-binding that we tried (such as DNS pinning) caused failures on the web in practice. Blocking access to "internal" hosts is the best we're likely to do.
|
|
||
Updated•5 years ago
|
My poc bypass C.O.R.S policy.
That allow to retrieve the content of the page ... not only send a request.
Description
•