Google, Roku, Sonos To Fix DNS Rebinding Attack Vector

The developer teams from Google Home, Roku TV, and Sonos, are preparing security patches to prevent DNS rebinding attacks on their devices. From a report: Roku has already started deploying updates, while Google and Sonos are expected to deploy patches next month. DNS rebinding is not a new attack vector by any stretch of the imagination. Researchers have known about it since 2007 when it was first detailed in a Stanford research paper. The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains.

8844

Hate dot hate dot hate dot hate

Browser solution

[amorsen]

Browsers could start ignoring DNS answers that point to addresses in the local LAN, unless the request was for a record that matches the local DNS domain or the answer comes from mDNS. That should be a relatively quick 90% solution that still keeps e.g. Active Directory working. It will even work for both IPv4 and IPv6.

And yes, fellow Slashdotters, I know you have networks where such assumptions will break. You also have the knowledge to enter about:config or to reconfigure your DNS server or network as appropriate.

For extra security, block all of RFC1918 + all non-public IPv6 space -- but that means a lot more false positives.

Re:Browser solution

Yes, and this story has nothing to do with browsers.

Re:Browser solution

[ls671]

That is only a fraction of the attack vector they are mentioning. The rest of it will be making devices connect to valid public IP addresses.

Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.
 

Re:Browser solution

[viperidaenz]

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
That's already pretty bad news. With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way. No DNS rebind attack required.

Public websites that are hosted as virtual hosts aren't vulnerable to rebind attackers either, as they use the HTTP Host header to determine how to handle the request. A rebind attack means the Host header won't match the website and would generally return a 404.

CDN's also stop rebind attacks from working on public websites for the same reason. The Host header is the domain of the attacker, not the destination.

Re:Browser solution

[SirAstral]

NO NO NO NO NO NO NO NO NO!!!!!

Don't even DARE to come up with the idea that browsers should be performing these functions. The browser needs to do only one thing... trust the DNS server that gave it data because the USER or Admins configured it... OTHER more suitable tools (like inline network devices/services) should be doing this security. It is NOT just about what will or will not break with this, it is also about the thought of Google, Microsoft, Firefox, and Opera deciding what is good or bad DNS and then also dealing with false positives and bugs that is going to definitely come with attempting this. Not only that but this kind of functionality will now be tested on browsers and become included in their "security profiles".

It's just a terrible terrible idea, like putting a governor in every car connected to GPS to make sure it NEVER goes over the speed limit.

Hackers would waste NO TIME in compromising this garbage in a browser and system would become even less secure just having it in them NOT MORE secure.

I cannot expound on how terrible the idea you just had is!

Re:Browser solution

[SirAstral]

"With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way."

yea, um no... you can't "just get a certificate" like that.

You have to get a publicly trusted CA to issue you a Certificate for a domain you don't own and a CA is not going to do that unless they want to risk going out of business or becoming untrusted defeating the entire purpose of being a CA. And if you go an create your own, well how are you going to get the victim's own system to trust it without a root signer they already trust? Systems do not accept certificates blindly!

You are going to have to trick someone to give you a certificate or find a way to compromise their Certificate or find a way to illegitimately obtain a proper certificate like finding some dumbass admin that left a cert laying around on an easy to access network drive with its private key and an easy to guess password (likely also stored in a txt file right next to it) protecting it.

Re:Browser solution

[Junta]

Bad news:
https://blog.nightly.mozilla.o...

Firefox and chrome are both advocating for ignoring the system DNS resolver and baking DNS resolving into their code (also, shifting from DNS over UDP to DNS over HTTPS, with etiher json or the traditional binary format. Instead of trusting your dns server, it trusts https://mozilla.cloudflare-dns... as the equivalent of the DNS server, ignoring the local network suggested settings.

Of course, I presume they must be doing something to support non-internet names to be resolved, but I haven't found yet an article going into that much detail.

Re:Browser solution

[amorsen]

Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.

That is not a rebind attack. You'd need a cache poisoning attack or a full takeover of the victim's DNS server to do that. My mitigation obviously does not fix that, that's what certificates are for.

Re:Browser solution

[ls671]

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.

Nope, sorry this is not how it works.

1) You would simply make the device connect to your fake DNS server.
2) In your fake DNS server, you would simply hardcode your fake web server IP to return when asked to resolve "www.mybank.com" so, there is no need to control the bank DNS server.
3) In your website virtualhosts config, you would simply create a domain "www.mybank.com"

This is not only limited to web attacks but it extents to anything trying to connect anywhere by hostname.

Re:Browser solution

[duke_cheetah2003]

Browsers could start ignoring DNS answers that point to addresses in the local LAN,

Despite your original post seeming intelligent, this is not. Are you really this naive about the typical home broadband installation? Where almost always the router is doing DNS duty, thereby pushing out on DHCP itself as the first DNS server. This is standard on millions of devices, and you propose breaking it?

Re:Browser solution

[amorsen]

Yes, and this story has nothing to do with browsers.

In most cases the only thing you can achieve with a DNS rebind attack is sending a HTTP or HTTPS request to a target. Usually it will be a browser that sends that request. Many modern email clients can also send HTTP(S) requests, I had forgotten to consider those since I find that extremely silly.

But you are right, email clients that implement HTTP(S) should just a) stop doing that (I know, won't happen) or at least b) block all HTTP(S) access to RFC1918, RFC6598, link-local IPv6, ULA IPv6. And those clients should never send any HTTP requests that aren't GET; hopefully anything harmful that can be done to a homenet device at least requires a POST.

Are there any other clients that are realistically vulnerable to DNS rebind? I'd love to hear if so.

Re:Browser solution

[amorsen]

Despite your original post seeming intelligent, this is not. Are you really this naive about the typical home broadband installation? Where almost always the router is doing DNS duty, thereby pushing out on DHCP itself as the first DNS server. This is standard on millions of devices, and you propose breaking it?

No, that is not my proposal. It is perfectly valid for the local CPE to be DNS server.

Imagine that the client, 192.168.1.10/24 asks the CPE, 192.168.1.1, what is the A record for www.harmless.com? 192.168.1.1 answers www.harmless.com IN A 88.44.22.11, which is a public internet address, so the browser accepts the answer. Then the same thing happens except the request is for evil.attacker.com, and it gets the answer (again coming from the CPE 192.168.1.1) evil.attacker.com IN A 192.168.1.50, which happens to be the Roku. Now the browser says AHA, 192.168.1.50 matches 192.168.1.0/24, someone is doing something bad! It drops the answer and refuses to connect to 192.168.1.50.

Re:Browser solution

[amorsen]

1) You would simply make the device connect to your fake DNS server.

That is not part of the DNS Rebind attack. You can accomplish that WITH a DNS Rebind attack that messes with the CPE settings, but then you have already won. My proposal stops the DNS Rebind attack from messing with the CPE settings in the first place.

Re:Browser solution

[amorsen]

DNS recursive servers are notoriously bad. Anything that comes in through DNS should be viewed with extreme suspicion, unless it is DNSSEC validated.

You COULD implement my proposed defense in the recursive DNS server, like OpenDNS has an option to do, instead of in the browser itself. However, that would mean you are exposed when connecting to a public hotspot with a captive portal that mangles DNS requests and prevents you from connecting to a trustworthy server.

Re:Browser solution

[ls671]

See my other post just below.

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.

Nope, sorry this is not how it works.

1) You would simply make the device connect to your fake DNS server.
2) In your fake DNS server, you would simply hardcode your fake web server IP to return when asked to resolve "www.mybank.com" so, there is no need to control the bank DNS server.
3) In your website virtualhosts config, you would simply create a domain "www.mybank.com"

This is not only limited to web attacks but it extents to anything trying to connect anywhere by hostname.

Some user will just enter mybank.com to connect to their bank. Normally, the website will redirect them to https://www.mybank.com/ (TLS site). Your fake website won't and will allow connections with plain http. No certificate needed.

Remember that for such an attack to pay off, only 1% of users falling for it is a lot!

Obviously, this isn't limited to banking sites and HTTP connections.

Re:Browser solution

[viperidaenz]

That can be mitigated by HSTS being used by your bank

Their browser would refuse to connect without HTTPS to www.mybank.com if they have already visited it before, therefore requiring the attacker to have a valid certificate to perform the redirect.

Your scenario also requires control of the network configuration of the victim.

A DNS rebind attack is re-binding a domain during an attack to a different IP to get around same origin protections.

What you described is not a DNS rebind attack, it's DNS hijacking. That's where you gain control of the DNS server a victim uses, either by changing their network configuration or gaining control of their existing DNS server..

Re:Browser solution

[viperidaenz]

Give me control of your domains DNS server and I'll get a Let's Encrypt certificate issued in 5 minutes.

Let's Encrypt use the ACME protocol to verify control of the domain. It's a completely automated process requiring only a webserver running on the IP address listed on the A record of the domain.

Re:Browser solution

thank for screwing my home network

Re: Browser solution

Your solution would only cover attempts against a simple network. It would be insufficient against most enterprise networks, and access to external targets. Eg making the victim participate in a DoS.

Re:Browser solution

[ls671]

That is not a rebind attack.

You are correct. I didn't know the term and reading TFS and TFA didn't help me.

So, I googled for it and reading the Wikipedia page enabled me to understand in 2 paragraphs.

Thanks!

https://en.wikipedia.org/wiki/...

The attacker registers a domain (such as attacker.com) and delegates it to a DNS server under the attacker's control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, they could point the victim's browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim's computer.

The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

Re:Browser solution

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.

Or they can just own the local Wi-Fi/cellular DNS server, return CNAME responses for www.mybank.com to www.pwnedbank.com, and get a valid SSL certificate for www.pwnedbank.com from a lame-ass CA like Let's Encrypt. If they're feeling funky they could even add a Subject Alt Name for www.mybank.com to their lame-ass Let's Encrypt certificate.

Re:Browser solution

Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.

Why would your locked down video purchasing/playback machine ever try to stream your purchased content from www.mybank.com?

This is to stop people from tricking a roku or "smart" device from connecting to anything but the official servers you need to pay to use, instead of as the owner redirecting them via dns to connect to your own computer, and run software to stream your potentially pirated, or at least not purchased from the device makers store.

Of course this just means instead of a simple DNS redirect, we now have to setup funky IP masq and redirection rules in a firewall and have it NAT the real public IP to translate to your own, and NAT replies back to it.

Re: Browser solution

Yes, you can get a certificate like that from LE who only verify first domain in SNI

Re: Browser solution

[amorsen]

Enterprise networks can implement any policies they want in the DNS servers that they force the employees, or they can go extra evil and simply intercept all DNS requests from clients. They do not need the browser to help them, and if they do, they probably have more-easily-exploited holes anyway.

DoS against external targets will be a bit pathetic, SYN packets are small and rebind can't spoof the source. For later packets, the host header won't match, so the target is unlikely to spend more than minimal processing time before dumping the request.

plex

How are they going to avoid breaking Plex?

Please don't break it for "security"

[iduno]

I don't need/want the IOT stuff getting out of my network. They all go to my own server where I can keep the data to myself. I guess I'll just have to redirect 8.8.8.8/8.8.4.4/1.1.1.1/1.0.0.1 to my DNS server.

Re:Please don't break it for "security"

I guess I'll just have to redirect 8.8.8.8/8.8.4.4/1.1.1.1/1.0.0.1 to my DNS server.

Would be more effective to just redirect anything output on port 53(both TCP and UDP) to your DNS server. Do the same with NTP outbound and redirect those to your local NTP server too.

Re: Please don't break it for "security"

I've been doing that for years

Re:Please don't break it for "security"

[locofungus]

AFAICT, this proposal is designed to stop exactly that.

Too many people are obviously preventing android devices reporting to google.

Ignore the elephant in the room...

[ZenShadow]

Prevent unknown third parties from running random code on your machine in the first place and this attack vector is nullified.

Quick! Find someone to stick their thumb in that hole over there!

Re:Ignore the elephant in the room...

Prevent unknown third parties from running random code on your machine in the first place and this attack vector is nullified.

No it isn't. Your own trusted code attempts to access some DNS name. I control the DNS record and give it a TTL (expiry time) of 1 second. I make it point to my server so you communicate with me, then I point (rebind) it to an internal IP name so you communicate with your own private machine that's inside your firewall that I can't talk to myself, then I point it back to my own server. This is the core of the vulnerability.

Finessing this into an exploit where I get to control what you send to your private machine, or that you tell me some/all of what the private is made easier if your program is a web browser running attacker-authored javascript, but there's no inherent requirement that this involve remote code execution.

Wrong definition ...

[citizenr]

>DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains

Thats not what DNS rebinding is. Impressive for an article to get it wrong while explaining how it works just few lines above :/. You dont "bind" to malicious servers, and you dont "access unintended domains". You contact one domain, and access "unintended" local IPs.

The true reason they are wanting to stop it.

[Cito]

PiHole DNS servers

Anyone can pick up a raspberry pi for 35 bucks or fire up a Debian virtual machine and install PiHole dns.

It blocks advertisements at the dns level. I have a roku, Chromecast, and of course kodi attached to my TV, and both the Roku and Chromecast not to mention my tablet never gets ads on YouTube or any streaming service.

I bet this change is to try and stop pihole users from blocking ads on their devices so easily.

Re:The true reason they are wanting to stop it.

Thank you. I was not aware of PiHole DNS. Now I am, and have a use for one of th Pi's I have sitting in a drawer right now.

That's not DNS rebind. Rebind attacks local

[raymorris]

If you get the victim to start using an attacker-controlled DNS server, you can indeed do bad things. That's not what DNS rebind is, though.

Let me explain what DNS rebind is.

The attacker creates a web page which has an iframe for http://nest.attacker.net/temp/...

The attacker sets the DNS record to for nest.attacker.net to be 192.168.1.2

The browser then connects to 192.168.1.2, which is the victims thermostat, and requests temp/90

The victim has now turned their thermostat up to 90
--

The attacker doesn't know the exact IP of the thermostat, but it's probably in the range 192.168.1.2 - 192.168.1.10

The attacker therefore retries the attack with each IP in that range, updating their DNS record once per second.

AVOID DNS security issues

See subject & resolve FASTER locally via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* Created in FreePascal/Lazarus 1.8.2 via GTK3 & OpenGL 3.1 on KDE Plasma desktop on Kubuntu 18.04. ONLY 1 of its kind in GUI on Linux/BSD!

APK

P.S.=> Much better vs. Windows model in speed & efficiencylus new "merge" feature... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part is this Linux 64-bit model is faster & more efficient (does 2x the work in 1/2 the time, literally)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

Agreed 110% but the IP stack should do it

See subject & resolve faster locally avoiding DNS security issues + tracking via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux/BSD!

APK

P.S.=> Much better vs. Windows model in speed & efficiency + new "merge" feature... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's the Linux 64-bit model's faster & more efficient (does 2x the work in 1/2 the time)

APK

P.S.=> Enjoy a faster/safer & more reliable internet... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's the Linux 64-bit model's faster/more efficient (does 2x the work in 1/2 the time)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's the Linux 64-bit model's faster & more efficient (does 2x the work in 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk

I'll do better for FREE (& you know it)

See subject & resolve FASTER locally & avoid DNS tracking + security issues via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux/BSD!

APK

P.S.=> Much better vs. Windows model in speed/efficiency + new "merge" feature... apk

Registered /.ers opinions of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's the Linux 64-bit model's faster + more efficient (does 2x the work in 1/2 the time)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

I state fact + what others state

I show others like + use the Win32/64 model & state fact the Linux 64-bit model is LITERALLY faster & more efficient (does 2x the work in 1/2 the time it took the Windows design, literally).

I did a MUCH better job of its internal design this round is why (pats self on back & the BSD + MacOS X versions are in testing too).

* Brockmire, I know, that for you, READING COMPREHENSION is asking a lot but please - DO try, ok?

APK

P.S.=> Now, I'll have to listen to some TWISTED BULLSHIT out of your dyslexic dumb ass but that's the PRICE of being good enough to have users PRAISE MY WORK when "Jealous JOWIES" (lol) like YOU can't show the same & can't stand guys like me that do WELL in the eyes of others (when "your kind" behind FAKE NAMES for your FAKE LIVES never will)... apk

Re:I'll do you 1 better for FREE

How's that supposed to work on his roku Chromecast kodi and tablet?

His problem & a fool + his $.... apk

If he wants to spend money on toys that are obsolete as soon as you buy them and non upgradeable that is his problem not mine.

* Fools that buy that junk buy their own headaches + see subject: A fool & his $ are always parted soon...

(You weezils & your LIMITED "edge cases" are exactly that...)

APK

P.S.=> It works on pretty much everything else, especially PC's which ARE highly upgradeable & configurable (even smartphone toy insecure junk too via ADB on droids + GodMode on Apple iPhones (both doable))... apk