Cenzic 232 Patent
Paid Advertising
web application security lab

wget DNS-rebinding and Weak Intranet Port Scanning

For my upcoming speech at DefCon on Friday of next week I was testing a server that happens to not be open on a port that you’d expect it to be. That same server also uses load balancing via DNS so it has a ton of different IP space that it points to. So I wanted to check to see if that port was open on any of the servers that were connected to it. I used wget to do this. It looked something like this:

$ wget –server-response –timeout=3 https://somesite.com/
–2009-07-21 13:58:32– https://somesite.com/
Resolving somesite.com… 1.1.1.1, 2.2.2.2, 3.3.3.3, …
Connecting to somesite.com|1.1.1.1|:443… failed: Connection timed out.
Connecting to somesite.com|2.2.2.2|:443… failed: Connection timed out.
Connecting to somesite.com|3.3.3.3|:443… failed: Connection timed out.
Connecting to somesite.com|4.4.4.4|:443… failed: Connection timed out.
Connecting to somesite.com|5.5.5.5|:443… failed: Connection timed out.
Connecting to somesite.com|6.6.6.6|:443… failed: Connection timed out.
Connecting to somesite.com|7.7.7.7|:443… failed: Connection timed out.
Connecting to somesite.com|8.8.8.8|:443… failed: Connection timed out.
Connecting to somesite.com|9.9.9.9|:443… failed: Connection timed out.
Connecting to somesite.com|10.10.10.10.|:443… failed: Connection timed out.
Connecting to somesite.com|11.11.11.11|:443… failed: Connection timed out.
Retrying.

So you can see that if it can’t find the first IP address in your list of IPs that you provide in the DNS it’ll try the second, if that’s also unreachable then it’ll try the third and so on. This means that if you can detect that someone is using wget on you you can essentially rebind their IP address to something else, assuming you have the other IP address that you want to rebind them to listed. So you can rebind them to Google or something and have them spin forever trying to download the Internet or something else just as dumb. Or you can point them to their own internal IPs…

That means that there is a second and much more weak attack there as well. Let’s say I had a list of DNS entries like 1.1.1.1, 192.168.0.1, 1.1.1.1, 192.168.1.1, 1.1.1.1, 10.0.0.1, 1.1.1.1, …. where it alternated back and forth between my domain (1.1.1.1) and internal RFC1918 address space. If it fails the first one it’ll try the second. If there’s a closed port there, it’ll miss that one and try the third (my IP again) and so on. I don’t have an open port but that doesn’t mean I can’t see the SYN packet coming in. In this way you can create a very weak intranet port scan, that will stop scanning as soon as it hits the very first successful IP address internally. So it’s almost useless as an attack. But still - really? Why does wget of all things need to be vulnerable? What’s next? Heap spraying in lynx?!

13 Responses to “wget DNS-rebinding and Weak Intranet Port Scanning”

  1. Rafal Los Says:

    RSnake-
    The first scenario is predicated on a few things which I think make it highly unlikely. First, you’d have to purposely have extremely short-lived DNS replies (thus causing higher network traffic… self DDoS?) then figure out that you’re being WGET’ed (via some automated method), which would then need to trigger an auto-update to the DNS which would effectively rebind EVERYONE who’s hitting your site (via DNS) at that time…
    Doesn’t this go into the category of …”what’s the point?” Perhaps I’m under or over-thinking this?

  2. RSnake Says:

    @Rafal - DNS rebinding only works if the site goes down for the person you want to rebind. You don’t have to take it down for anyone but the person who is wgetting you. The other users won’t notice a thing. So yes, you’d have to detect them, and then block them. The rest is just making sure you have your trap pre-built into your DNS. ;)

  3. Rafal Los Says:

    @Rsnake: Off-line conversation included… this makes more sense now. :) Thanks for clarifying - although I see its usefulness in limited cases… where someone REALLY needs to protect against an all-out site-scrape; otherwise it’s a waste of resources.

  4. RSnake Says:

    As Bojan Zdrnja pointed out this is possible in modern browsers as well. That means you can basically create a crappy port scanner using only a series of image tags (no JavaScript required). The other half is just a series of DNS entries and a tool to watch the SYN packets.

  5. Wornstrom Says:

    People tend to underestimate what a page full of image tags can do. I’ve seen a few forums with file uploaders, that made the mistake of having the delete function be only a link, rather than a POSTed form. As soon as an admin stumbles across a post full of [img]deletefile.php?id=1[/img][img]deletefile.php?id=2[/img]…[img]deletefile.php?id=9999[/img], bam.

  6. ChosenOne Says:

    why do you consider this a vulnerability in wget?!
    sorry if i’m being stupid right now, but I don’t see it.. :)

  7. RSnake Says:

    @ChosenOne - This was kind of meant as a joke post more than anything. But yes, it is possible to get wget to connect to something that the person running it didn’t mean to connect to. That’s the whole point. You aren’t being stupid - I was just joking around and I think the joke was lost.

  8. ChosenOne Says:

    @RSnake — oh, ok… :D

  9. rvdh Says:

    @Wornstrom

    That’s where tokens play a role, to prevent against the CSRF example you posted. And no, we people (at least I) do not underestimate that.

  10. Pete Says:

    Uh. If they’re already going to your (attacker)’s website, couldn’t you just give them a .js that tries to connect to lots of internal IPs/ports and then when the scan is done make a request back to the attacker’s site with the results? I’m not too familiar with js but it just seems like this would be feasible.

  11. RSnake Says:

    @Pete - no, wget doesn’t render HTML or JavaScript it just pulls it down.

  12. Wornstrom Says:

    @rvdh: I know anyone who knows anything about security is already aware of that exploit, but I’ve seen it used a few times.

    Also, I would think this “exploit” alone is not enough to block wget. There must be plenty of web browsers and other legitimate clients that have this behaviour.

  13. Wireghoul Says:

    Wget will usually follow a 30(1|2) so rebinding seems overkill. Think I missed the joke too.. :/