Recent updates:
NEW (2023-04-27): Check out our blog post documenting the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two ways to bypass these restrictions. We also discuss the effects of WebRTC IP address leak mitigation, and DNS Bit 0x20 on DNS rebinding attacks.
(2020-03-30) New blog post investigating the impact of DoH on DNS rebinding attacks. TL;DR: DoH (DNS over HTTPS) has no effect on rebinding attacks and protections advertised by providers can be bypassed.
Check out our DEF CON 27 video and BSidesLV presentation at State of DNS Rebinding: Attack & Prevention Techniques and the Singularity of Origin.
Singularity of Origin
is a tool to perform DNS rebinding attacks.
It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
It also ships with sample payloads to exploit several vulnerable software versions, from the simple capture of a home page to performing remote code execution. It aims at providing a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks and to raise awareness on how they work and how to protect from them.
Detailed documentation is on the wiki pages.
Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the setup singularity wiki page for detailed instructions.
The documentation is on the wiki pages. Here are a few pointers to start:
A test instance is available for demo purposes at http://rebind.it:8080/manager.html.
Singularity has been tested to work with the following browsers in optimal conditions in under 3 seconds:
Browser | Operating System | Time to Exploit | Rebinding Strategy | Fetch Interval | Target Specification |
---|---|---|---|---|---|
~3s | Multiple answers (fast) |
||||
~3s | Multiple answers (fast) |
||||
Firefox | Windows 10 | ~3s | Multiple answers (fast) |
1s | 127.0.0.1 |
Chromium | Ubuntu | ~3s | Multiple answers (fast) |
1s | 0.0.0.0 |
Firefox | Ubuntu | ~3s | Multiple answers (fast) |
1s | 0.0.0.0 |
Chrome | macOS | ~3s | Multiple answers (fast) |
1s | 0.0.0.0 |
Firefox | macOS | ~3s | Multiple answers (fast) |
1s | 0.0.0.0 |
Safari | macOS | ~3s | Multiple answers (fast) |
1s | 0.0.0.0 |
Singularity supports the following attack payloads:
simple-fetch-get.js
): This sample payloadfetch
API.exposed-chrome-devtools.js
): This payloadlocalhost
.etcd.js
): This payload retrieves the keys and values frompyethapp.js
): Exploits the Python implementation of therails-console-rce.js
): Performs a remote codeaws-metadata-exfil.js
): Forces a headless browser to exfiltrate AWS metadataduplicati-rce.js
): This payload exploits thetargetURL
in file payload-duplicati-rce.html
must be updated towebpdb.js
): A generic RCE payload to exploit PDB
,hook-and-control.js
): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.jenkins-script-console.js
): This payload exploits thedocker-api.js
): This payload exploits the/etc/shadow
file of the Docker host.ollama-exfil.js
): Exfiltrate files from hosts running Ollama, an open-source system for running and managing large language models (LLMs). See blog post.