Homeward Bound: Scanning Private IP Space with DNS Rebinding

Back to the list of Speakers and Sessions
DNS Rebinding attacks have re-entered the spotlight, largely owing to recent high-profile disclosures by Tavis Ormandy including RCE in the Blizzard Update Agent triggered from the browser. However, given the vast amount of consumer software in circulation today and the apparent frequency with which the design (anti)pattern of treating localhost as secure occurs, it is likely that many vulnerable services still exist. In this talk, we will present a set of tools we created to make performing DNS Rebinding attacks fast and easy at scale, discuss how these tools can be used to perform network reconnaissance from inside a browser, and present an opt-in “localhost census” page that uses DNS rebinding to enumerate localhost services listening for HTTP on the visitor’s computer, and adds the results to a database.