taviso/rbndr taviso/rbndr

  • Stars
    star
    613
  • Rank 73,175 (Top 2 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created almost 9 years ago
  • Updated almost 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
taviso/rbndr
github

taviso

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple DNS Rebinding Service

rbndr

Simple DNS Rebinding Service

rbndr is a very simple, non-conforming, name server for testing software against DNS rebinding vulnerabilities. The server responds to queries by randomly selecting one of the addresses specified in the hostname and returning it as the answer with a very low ttl.

https://en.wikipedia.org/wiki/DNS_rebinding

DNS rebinding is a form of TOCTOU (time of check, time of use) vulnerability. You would use it if you have a service that uses "preflight" checks incorrectly to modify security properties. For example, consider a (fictional) browser plugin that has an api like this:

AllowUntrustedAccess("foobar.com");
SendArbitraryRequests("foobar.com");

And AllowUntrustedAccess() simply sends a preflight HTTP request to the host:

GET /CanIDisableSecurity HTTP/1.1

If the service returns 200, then the plugin allows the hostpage complete access to that hostname. This might be a security vulnerability, because you can specify a rbndr hostname that will switch between a host you control and a host you don't. The plugin might allow complete access to an arbitrary ip address (e.g. an internal service, or localhost) even if that service would not normally permit the preflight check.

This might sound unrealistic, but that's exactly how Adobe Flash, Oracle Java and lots of other products worked in the past, and many other products still work.

Read about how Adobe tried to resolve this problem in Flash here, https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

For software that is vulnerable to this class of attack, rbndr is an easy way to test without having to modify /etc/hosts or setup your own nameserver. If the software associates the result with just the hostname and not the hostname and ip address, then you can grant yourself access to any ip address.

The format for hostnames is simply

<ipv4 in base-16>.<ipv4 in base-16>.rbndr.us

But you can use this website to convert from dotted quads if you prefer:

https://lock.cmpxchg8b.com/rebinder.html

For example, to switch between 127.0.0.1 and 192.168.0.1 you would encode them as dwords, and then use:

7f000001.c0a80001.rbndr.us

Let's test it out:

$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 127.0.0.1
$ host 7f000001.c0a80001.rbndr.us
7f000001.c0a80001.rbndr.us has address 192.168.0.1

As you can see, the server randomly returns one of the addresses. You might do something like this (in pseudo-code):

// Keep calling api until it resolves to the address you control and you get granted access
while (AllowUntrustedAccesss("7f000001.c0a80001.rbndr.us") != true)
  ;

// Access granted, now wait for it to re-bind
while (ConnectToPort("7f000001.c0a80001.rbndr.us", 123) != true)
 ;
 
 // Now you have access to localhost:123 even though localhost did not opt-in to reduced security.
 SomethingEvil();

More Repositories

1

loadlibrary

Porting Windows Dynamic Link Libraries to Linux
C
4,330
star
2

ctypes.sh

A foreign function interface for bash.
C
2,060
star
3

ctftool

Interactive CTF Exploration Tool
C
1,636
star
4

123elf

A native port of Lotus 1-2-3 to Linux.
C
1,171
star
5

avscript

Avast JavaScript Interactive Shell
C
664
star
6

wpunix

WordPerfect for UNIX Character Terminals
C
615
star
7

hotcorner

Tiny Hot Corners for Windows 10
C
380
star
8

nntpit

minimalist reddit2nntp gateway
C
231
star
9

rarvmtools

Minimal RarVM Toolchain
C
228
star
10

cefdebug

Minimal code to connect to a CEF debugger.
C
193
star
11

lotusdrv

Lotus 1-2-3 R4D Display Driver for DOSEMU
C
147
star
12

kiewtai

A port of Kaitai to the Hiew hex editor
C
144
star
13

sharapi

Simpsons: Hit & Run JavaScript API
JavaScript
112
star
14

swisstable

Access Abseil Swiss Tables from C
C
103
star
15

dbusmap

This is a simple utility for enumerating D-Bus endpoints, an nmap for D-Bus.
C
76
star
16

scanlimits

Tool to examine the behaviour of setuid binaries under constrained limits.
C
62
star
17

katamascii

An ascii-art physics puzzle, roll around your terminal collecting ascii-art objects!
C
43
star
18

timex

A hello world for the timex m851
C
31
star
19

minirun

Run commands with hidden console.
C
30
star
20

iknowthis

iknowthis Linux SystemCall Fuzzer
C
20
star
21

hiewdocs

Documentation and notes on using the Hiew editor.
HTML
17
star
22

mpgravity

MicroPlanet Gravity
C++
14
star
23

nssecurity

Netscape Plugin Security
C
8
star
24

defermap

Add a server mode to X11 clients
C
7
star
25

hiewkey

Keyboard helper for Hiew
C
4
star
26

wpdfilter

Enable Windows to Index WordPerfect UNIX Documents
C++
3
star
27

ncpro

Commandline Interface to NoteCase Pro
Shell
1
star
28

stfjson

Convert Lotus Agenda STF files to JSON
C
1
star