Dolos DNS Rebiner: What You Need to Know

Although DNS rebinding attacks have been known for over a decade now, they are only recently receiving attention as a practical attack surface.

In the last year, quite a few popular products have been shown to lack DNS rebinding protections, and as a result, someone could operate them remotely using a malicious web site. Manufacturers have made a habit of giving consumers connected devices that are controlled by unauthenticated HTTP requests via the local network.

This mentality, that the private LAN is trusted, is undermined by the impact of DNS rebinding. It also turns out that vulnerabilities within HTTP-based applications can be unexpectedly exploited across network boundaries. For example, the recent ES File Explorer ‘Open Port Vuln’ was generally reported as only being exploitable by an attacker on the same WiFi network as the victim. This was in fact an understatement of the risk since the vulnerable HTTP server cannot differentiate between legit and relayed requests.

Last year, I created an integrated DNS/HTTP server designed to facilitate DNS rebinding attacks which can be created on the fly with a simple UI. This software, called Dolos, has been used in Black Hat USA and SecTor training classes. Now, in coordination with my upcoming talk at Infosec EU, I have released the source code on GitHub!

Dolos simplifies the process of creating an exploit by empowering users with two modes of network discovery as well as automated target discovery and payload delivery.

In most cases, the Dolos operator will only need to supply a port number for the targeted HTTP server, a path which exists on that server and finally a JavaScript snippet intended to execute after the rebinding is complete. Dolos then generates HTML payloads which are saved as attack profiles. Once a victim browser on the targeted network opens (Read more...)