Bypassing SOP by changing DNS records (rebinding attack)
Categories
(Core :: Networking, defect, P3)
Tracking
()
People
(Reporter: ilyasamarov, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form][necko-triaged])
Attachments
(1 file)
|
2.78 MB,
video/mp4
|
Details |
It’s possible to circumvent the CORS mechanism by changing the IP address of the hostname (in DNS). while JavaScript is executing.
Suppose someone visits http://attacker.com which is running a JavaScript code.
And what the JavaScript code does is it sends a fetch HTTP GET request to http://attacker.com/api/v1/getSecret
But it sends this request only 1.1 minutes after the website is loaded (sleep with SetTimeout)
If, in this timeframe of 1.1 minutes. The owner of the “attacker.com “domain will change the DNS entry to point to 127.0.0.1 .
Before sending the request, the firefox browser will issue a new DNS request, as the DNS cache timeout is roughly around 60 seconds. The DNS response will be 127.0.0.1 instead of the previous public IP.
As a result, the Firefox browser will try to send a request to localhost (127.0.0.1) + /api/v1/getSecret.
If such an API is running on the localhost, it will receive the request and respond with an answer. An answer which will then be accessible for the JavaScript for processing and it can send/exfiltrate this response to some other location.
This is allowed due to the fact that on the surface it’s the same ORIGIN “http://attacker.com”.
But Firefox is ignoring the sudden IP Address change which happened in the middle of the browsing session.
Tommorow I will upload a document with detailed technical description of the POC that I did to prove this idea.
|
||
Comment 2•7 months ago
|
||
This is called a "rebinding attack" and is one of the threats the Private Network Access spec tries to address. Firefox has not implemented that yet but it is a known problem.
|
|
||
Updated•7 months ago
|
Thanks, I didn't know that it has a name.
Indeed was strange to me that such a simple attack will be missed.
So as this is the situation I believe there no reason to waste time on writing the details about the POC.
I'll just add a few words that maybe will somehow contribute to a better understanding of the criticality of this.
- I was able to expedite the DNS cache refresh by loading 2 Iframes from the same domain one after another.
This helps to wait significantly less than 1 minute to execute the attack (as can be seen in the video). - This can have significantly higher impact when using Firefox browser as a headless browser for automatic processes as part of a product.
for example, there are SAAS products which receives a URL as an input.
the backend takes the URL and executes a headless browser to extract something from the website.
in the cloud world the combination of such a feature with the DNS rebinding attack will result in attacker accessing the cloud metadata instance (ex. AWS - http://169.254.169.254/latest/meta-data) and potentially taking over the whole cloud environment. - In chrome browser and all other browsers that I tested it detects the IP address change and doesn't let the request come out.
Just wondering, if this is a known issue does it mean that it will not be eligible for bounty ?
Can I publish a blog about this problem ?
I saw that yesterday , Hacker News published an article about a very similar issue but only allows attacking 0.0.0.0
and the vulnerability that I described can allow attack any address in local network.
https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html
|
||
Comment 5•7 months ago
|
||
I don't make bounty decisions. Having the flag sec-bounty? will let the responsible team know that a decision needs to be made. Dan, can you make the decision here?
(In reply to Ilya from comment #3)
Just wondering, if this is a known issue does it mean that it will not be eligible for bounty ?
Can I publish a blog about this problem ?
|
|
||
Comment 6•7 months ago
|
||
The 0.0.0.0 attack is not related to this. That was a direct request to that address to get around Chrome's preventing access to 127.0.0.1 without a CORS request. The idea is to exploit vulnerabilities in locally-installed web servers (several applications install local servers). Has nothing to do with rebinding.
Just wondering, if this is a known issue does it mean that it will not be eligible for bounty ?
Can I publish a blog about this problem ?
If we thought we had addressed it already then it could still be eligible. We will have to investigate. We'd appreciate you holding off publishing about it while we do.
|
||
Comment 7•6 months ago
|
||
The severity field is not set for this bug.
:manuel, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
||
Comment 8•6 months ago
|
||
See also things like https://en.wikipedia.org/wiki/DNS_rebinding and many other pages
PNA is the solution to this, basically, though local network services responding on http is a real part of the problem. Probably this should dup to the PNA bug, IMO.
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
|
Reporter | |
Comment 10•6 months ago
|
||
Hi Daniel,
I understood that you've decided to close this bug as duplicate from long time ago.
that's disappointing but understood,
does that mean that I can publicly disclose\discuss my exploit in a public blogs\talks ?
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
Description
•