Attacking Private Networks from the Internet with DNS Rebinding
The well-written research article above by Brannon Dorsey is a must-read for any developer of home-integrated devices, and perhaps, all developers, even those who develop products that run within highly secure networks that, via an authenticated user- (as was done with Stuxnet)- can inadvertently intercept and execute malicious code.
Essentially Mr. Dorsey discovered that smart home gadgets that are supposed to operate securely in private networks can be exploited from the outside by simply embedding scripts containing network hi-jack exploits in links that can make requests back to the client browser that appear- via dynamic IP-to-same-origin-hostname switching* (ie. "DNS Spoofing") done through a malicious DNS server -to be from a trusted, same-origin source.
ie.
Malicious hostname: exploit.net
Malicious ip address: 59.33.12.9
Victim recent request hostname: somebank.com
Victim recent request ip address: 122.76.21.19
<<Very brief DNS Hijack via a malicious DNS server>>
Malicious hostname: exploit.net
Malicious ip address as far as victim browser client is aware: 122.76.21.19
......See the problem?
He goes on to explain how entire protocols like UPnP "are built around the idea that devices on the same network can trust each other".
Remember: what appears to the browser client to be a "same-origin" request is not always actually a same-origin request. Make sure that you change the default credentials on your network router(s) and as the article above insists:
Good to remember: protocol://host:port/path?query
*DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.
The well-written research article above by Brannon Dorsey is a must-read for any developer of home-integrated devices, and perhaps, all developers, even those who develop products that run within highly secure networks that, via an authenticated user- (as was done with Stuxnet)- can inadvertently intercept and execute malicious code.
Don't let script kiddies mess with your code via DNS
Essentially Mr. Dorsey discovered that smart home gadgets that are supposed to operate securely in private networks can be exploited from the outside by simply embedding scripts containing network hi-jack exploits in links that can make requests back to the client browser that appear- via dynamic IP-to-same-origin-hostname switching* (ie. "DNS Spoofing") done through a malicious DNS server -to be from a trusted, same-origin source.
ie.
Malicious hostname: exploit.net
Malicious ip address: 59.33.12.9
Victim recent request hostname: somebank.com
Victim recent request ip address: 122.76.21.19
<<Very brief DNS Hijack via a malicious DNS server>>
Malicious hostname: exploit.net
Malicious ip address as far as victim browser client is aware: 122.76.21.19
......See the problem?
He goes on to explain how entire protocols like UPnP "are built around the idea that devices on the same network can trust each other".
Remember: what appears to the browser client to be a "same-origin" request is not always actually a same-origin request. Make sure that you change the default credentials on your network router(s) and as the article above insists:
"We need developers to write software that treats local private networks as if they were hostile public networks. The idea that the local network is a safe haven is a fallacy. If we continue to believe it people are going to get hurt."
Good to remember: protocol://host:port/path?query
*DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.
