How to steal a developer's local database

These have a fairly simple fix that you can implement yourself as a developer. Don&#x27;t let your services listen on (AKA bind to) 0.0.0.0 or 127.0.0.1.<p>The entire 127.0.0.0&#x2F;8 block is dedicated to the loopback interface [1]. That&#x27;s 2^24 - 2 unique IP addresses you can choose at random. This basically eliminates the feasibility of the DNS rebinding component, as it would take prohibitively long to find the actual loopback address that your services have bound to.<p>It&#x27;s important to note that this is much more effective than not using the default port. It&#x27;s <i>much</i> faster to iterate all 2^16 ports on the same IP address than it is to wait for DNS TTL to expire so you can rebind to another IP address.<p>As a bonus, you don&#x27;t have to worry about port collisions when nobody&#x27;s allowed to listen on 0.0.0.0. Everybody can use 8080 if they want.<p>[1] <a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc5735#section-3" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc5735#section-3</a>

In a past life I had to write some DNS rebind attacks for some CPE testsuite software that is out there.<p>It was very easy to write some javascript that hangs out in the browser, gets the updated DNS host as the 192.168.0.1 address (sure sure, you can go crazy guessing other addresses) and then about 60% of everyone was on admin:admin or something as common; the first 12 or so bits of an ethernet address are the vendor identifier, which makes the process even easier to assume. Then you just start posting data to well-known web admin interfaces and update the router password.<p>I have no idea how well this works, three or four years later...

<i>&gt; The attack depends on multiple software products all making very reasonable decisions about how they should work, but the way they interact with each other leads to a vulnerability.</i><p>I&#x27;m sorry, but I disagree. A browser allowing externally loaded scripts to access private ip ranges is not a reasonable decision.<p>PSA: To protect yourself from this, and some more bad browser defaults, use NoScript with &quot;allow all scripts globally.&quot; Keep the JS, but filter out some bad stuff. Also enable ABE (application boundaries enforcer, made to solve exactly this problem) for good measure.

Now I&#x27;m a little scared.<p>A few months ago there was a post [0] by antirez about how dangerous it is to leave a redis instance open to the world, in that an attacker could, for instance, authorize an SSH key on your machine and gain remote connectivity.<p>While the average workstation is not usually reachable from the outside network, you could probably combine some variant of that attack (the first thing that comes to mind: overwrite .bash_profile) with the attack of this article, causing a lot of fun.<p>[0] <a href="http:&#x2F;&#x2F;antirez.com&#x2F;news&#x2F;96" rel="nofollow">http:&#x2F;&#x2F;antirez.com&#x2F;news&#x2F;96</a>

Running your browser in Red Hat&#x27;s SELinux sandbox [1] [2] limits the ports you can connect to and thus limits this type of attack to those ports (80, 81, 443, 488, 8008, 8009, 8443, and 9000 in the default configuration).<p>[1] <a href="http:&#x2F;&#x2F;danwalsh.livejournal.com&#x2F;31146.html" rel="nofollow">http:&#x2F;&#x2F;danwalsh.livejournal.com&#x2F;31146.html</a> [2] <a href="http:&#x2F;&#x2F;www.bress.net&#x2F;blog&#x2F;archives&#x2F;195-Firefox-in-a-sandbox-with-Fedora.html" rel="nofollow">http:&#x2F;&#x2F;www.bress.net&#x2F;blog&#x2F;archives&#x2F;195-Firefox-in-a-sandbox-...</a>

I have seen this story posted and discussed in several locations. It boggles my mind that everyone is talking about DNS filtering and&#x2F;or browser security models, when it&#x27;s painfully obvious that the actual problem is the fact that the targeted services (redis, memcached, elasticsearch, etc.) apparently do nothing whatsoever to authenticate incoming connections (at least in their default configuration).<p>Yes: remote DNS servers have no business serving up loopback addresses. Yes: browsers shouldn&#x27;t let remote scripts access resources on the local network.<p>But WTF are you guys doing running services bound to network ports (even if only accessible from the local machine) that apparently have no authentication whatsoever? Have none of you ever used a multi-user machine?<p>When I was in university we had just three SunOS boxen shared amongst all undergrads in my faculty, and all three were directly accessible from the whole of the internet - there was no firewall of any kind. Even back in those rather more innocent days you learned real quick not to put up services which didn&#x27;t authenticate every incoming connection.<p>A good firewall is not a substitute for having individual machines be secure.<p>A machine having only one (intended) user is not an excuse to run services that are not secure against local users.

Interesting attack. A far more feasible one is just to throw nmap around your next conferences WiFi network and try common postgres&#x2F;mysql combinations. You&#x27;d be surprised how many developers have such services exposed, often with &#x27;developer passwords&#x27; and production dumps loaded.

Question: could DNS rebinding be used to tap into 1Password inter-process communication? They use localhost websockets for IPC; it&#x27;s authenticated through the request origin and then through verifying the PID is in fact the browser [1].<p>DNS rebinding could definitely get around the PID check, but could it spoof an origin to something like &quot;safari-extension:&#x2F;&#x2F;com.agilebits.onepassword4-safari-2bua8c4s2c&quot;?<p>[1] <a href="https:&#x2F;&#x2F;support.1password.com&#x2F;mini-extension-security&#x2F;" rel="nofollow">https:&#x2F;&#x2F;support.1password.com&#x2F;mini-extension-security&#x2F;</a>

Browsers could pin DNS responses when a page finishes loading so any further requests for that domain will use the cached IP instead of doing name lookups but that would be a PITA because they generally rely on the OS DNS subsystem. It might also break long-running pages that won&#x27;t failover anymore.<p>It would probably be easier to simply keep a IS_LOOPBACK flag for every DNS name resolved and kill any connection attempts if the flag changes while the page is loaded. Then you can keep using the OS DNS resolver logic.<p>DNS might legitimately return a different CDN but it sure as hell won&#x27;t flip between private IP spaces and the public internet.

Recently Redis aliased POST and Host: to QUIT for this reason.

When you hear about someone jail breaking an iphone trough the browser, this is how. The fact that the browser works as a window to all tcp-sockets running on a device, it&#x27;s the perfect way to exploit buffert overflows on a device that lacks a terminal.<p>Also remember this with all your IoT appliances running on your local network. Even if it has a local IP-address, as long as you have a computer with a browser on the same network, you might as well consider your devices being publicly accessible from the rest of the internet.

Cool to see DNS Rebinding getting more attention lately :D just a couple months ago I used DNS Rebinding to attack Ethereum wallets: <a href="https:&#x2F;&#x2F;medium.com&#x2F;@rhodey&#x2F;walking-past-same-origin-policy-nat-and-firewall-for-ethereum-wallet-control-30c29b73a057#.ew1ir61kg" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@rhodey&#x2F;walking-past-same-origin-policy-n...</a>

Do developers often run things on localhost? I mean sure, you&#x27;ll have things running on your dev machine, but for me at least, <a href="http:&#x2F;&#x2F;127.0.0.1&#x2F;" rel="nofollow">http:&#x2F;&#x2F;127.0.0.1&#x2F;</a> will just show the default webroot, with its placeholder index.html. All my actual sites listen for custom hostnames (since otherwise you only get one site per machine or have to do silly things with port numbers on the url).<p>So unless somebody has crafted a page specifically targeting me and my naming convention for local sites, this wouldn&#x27;t be an issue. And of course, once you hit a site, you&#x27;d still need to deal with the same security that the public facing version sees. You certainly wouldn&#x27;t go out of your way to disable that on your local machine.<p>Databases are named, and often live within named database server instances, so they&#x27;d need to be specifically targeted as well. And, again, they have authorization to deal with. It&#x27;s not like you&#x27;d leave that open either.<p>Is it common to do it any other way?

In what universe does it make sense for a DNS server to serve records that point to 127.0.0.1??<p>This DNS Rebinding hack should be easy to eliminate: only etc&#x2F;hosts can make records that point to localhost.<p>I don&#x27;t care if a HUGE swath of applications are broken by this, DNS just seems broken to allow remote DNS servers to make localhost records.<p>Please excuse my awkward use of words, I am a combination of sick and delightfully ignorant about DNS.

This problem doesn&#x27;t just apply to localhost, although it&#x27;s most straightfoward to exploit that way. You could also use this technique to scan the user&#x27;s LAN or, in a more targeted attack, bypass IP address restrictions on specific servers.<p>Scripts from the public Internet shouldn&#x27;t be able to access private or local networks as a matter of policy.<p>Similarly, in a high-security environment, scripts from a private network shouldn&#x27;t be able to access the public Internet - to help prevent exfiltration of private data.

I always kinda wondered when the other shoe was gonna drop on &quot;why do databases even have passwords&quot;...

I&#x27;m sure I&#x27;ve seen browsers (maybe Opera?) which wouldn&#x27;t let a website on a &quot;routable&quot; IP address make any requests at all to anything on a &quot;non-routable&quot; IP address; I assume that 127&#x2F;8 is included in the latter range. That approach basically eliminates the DNS rebinding attack, I assumed that was normal practice in all browsers - obviously not, though.

Another good reason to develop w&#x2F;in a virtualized server on your dev machine?

My takeaway from this is that binding to localhost doesn&#x27;t give you as much security as you think.

Looks like the best way to protect against this is filtering private IP addresses from DNS responses. Is there a reason why ISP DNS servers in general would ever need to serve out a private IP?

This is an interesting, albeit well-known attack vector. A similar attack was used to attack Avast [0].<p>The author notes that write access could be used to inject dangerous objects (e.g. malicious pickles) into the database. This is arguably a much more serious bug because it does not require DNS rebinding (such a request can be performed cross-origin) nor can it be mitigated by refusing to read the response (as Chrome is proposing to do).<p>In short: the database modification attack is potentially much more severe, but as of yet no precise attack chain has been identified. However, I think it&#x27;s very likely that some server software uses e.g. pickles in the database.<p>[0] <a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=679&amp;redir=1" rel="nofollow">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=67...</a>

Hmm, Little Snitch, if configured properly (ie. you allow the browser to only connect to ports 80 and 443) will alert you if a site wants to connect to something weird like 3306, 9000 etc. Then you can kill the packet and nothing happens. Like on OPs PoC. Still, it&#x27;s super interesting PoC.

I run my real databases on non-standard ports in docker and put honey pots on the standard ports. In those I fill it with dialog from love scenes in popular movies, it&#x27;s not a ton of data but it&#x27;s certainly interesting.

similar problem with intellij: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12292148" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12292148</a>

I love this class of attack. I wonder if you could use a similar technique to get German Trasmission users to download fine-inducing torrents, etc..

I&#x27;ve become increasingly complacent and often allow NoScript to &quot;temporarily allow all javascript on this page&quot;, but will stop doing it, having just tried the PoC. It found Redis (which runs in a container, but with the port exposed).<p>The PoC failed to work when using TorBrowser (with the security slider set to High) and letting NoScript temporarily allow.

We are designing a solution in gngr here: <a href="https:&#x2F;&#x2F;github.com&#x2F;UprootLabs&#x2F;gngr&#x2F;issues&#x2F;219" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;UprootLabs&#x2F;gngr&#x2F;issues&#x2F;219</a><p>In essence, the resolved address of a request will be checked if it lies in a reserved block. If so, further policy checks will be made for the resolved address, and the IP address will be pinned for that HTTP request.<p>Would appreciate feedback here, or on the issue.

&quot;How to steal some developer&#x27;s local database&quot;

This reminds me of a similar vulnerability in webhooks [1]. I never thought of throwing a POST request at Redis to muck with keys but I tried it just now and it totally works. Geez.<p>[1] <a href="http:&#x2F;&#x2F;blog.fanout.io&#x2F;2014&#x2F;01&#x2F;27&#x2F;how-to-safely-invoke-webhooks&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blog.fanout.io&#x2F;2014&#x2F;01&#x2F;27&#x2F;how-to-safely-invoke-webhoo...</a>

Routers like Fritzbox also protects agains DNS Rebinding: <a href="https:&#x2F;&#x2F;en.avm.de&#x2F;service&#x2F;fritzbox&#x2F;fritzbox-7390&#x2F;knowledge-base&#x2F;publication&#x2F;show&#x2F;663_No-DNS-resolution-of-private-IP-addresses&#x2F;" rel="nofollow">https:&#x2F;&#x2F;en.avm.de&#x2F;service&#x2F;fritzbox&#x2F;fritzbox-7390&#x2F;knowledge-b...</a>

With WebRTC local ip discovery [1] it can be easily extended to work against a whole local subnet. Looks very dangerous.<p>Probably best to attack this on the DNS rebind level. Encapsulating the browser network context somehow and firewalling this might help mitigating this attack too.<p>[1] <a href="https:&#x2F;&#x2F;www.browserleaks.com&#x2F;webrtc" rel="nofollow">https:&#x2F;&#x2F;www.browserleaks.com&#x2F;webrtc</a>

Seems to me that containerizing your dev environment with something like a well-constructed <i>docker-compose</i> YAML should mitigate this.<p>By &quot;well-constructed&quot; I mean that the backend services for a given project should only be available on the container network, and not be exposed to the host network.

Out of curiosity, what data do you have in your development databases that this becomes such a grave concern? I mean I&#x27;m all for security and love to see how creative people can get but we are talking about dev environments and not some part of the infrastructure (automated test machines, production, etc).

The crazy thing to me is that people here look for solutions at lower OSI level (DNS, interfaces, IP address,) where to me the problem is that there are these services that run with zero security.<p>Fix the services, require authentication and permission enforcement and the problem is gone.

I noticed that I am running redis-server in the background on my mac...but I have no idea what started it. I&#x27;m not doing any relevant development at the moment, and haven&#x27;t in months.<p>How can I trace the source and ensure it doesn&#x27;t restart on reboot?

It&#x27;s very concerning considering Homebrew&#x27;s popularity and its habit of running stuff as your local user. Compromising any application that runs as you with as much access to your computer as yourself is pretty bad.

Perhaps a server, when running in development mode, should require a custom HTTP header? This would be a non-simple request, and the browser will refuse. Would this be a reasonable counter-measure?

Can this be solved by configuring the local system (e.g. Debian?) to blacklist any DNS resolution that ends up being a private IP address? Is this is possible to configure at the firewall level?

Create a docker container, mount -v &#x2F;tmp&#x2F;.X11-unix:&#x2F;tmp&#x2F;.X11-unix in there and run your browser that way. It&#x27;s VM lite and mitigates this attack.

This is why I use Vagrant whenever I can. All my services live within a VM and are only accessible via a specific hostname.

The PoC website works on my redis even when using Chrome canary 55 which should have removed HTTP 0.9.

This is a non-issue for those of us who are using Vagrant or similar development VM technologies.

Is there any similar attack for data in postgres &#x2F; mysql local databases?

Looks like Qubes OS is the only ultimate solution.

The DNS rebind seems weird, any sensible DNS forwarder should ignore local ip (127.0.01&#x2F;8, 192.168.0.1, etc). This attack doesn&#x27;t seem feasible if you can&#x27;t hinack local adresses.

I think that running elastic search on a different port (other than 9200) will go undetected? (just a thought)

If the box doesn&#x27;t beep any longer - how can I find where I stored my speaker-less server?

Oh no, my development database! What ever will I do if 10,000 entries of Lorem Ipsum get leaked!? In the wrong hands, all of my bunk data from trying to get a PUT right could be really dangerous.