Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials.
Cybersecurity firm Intruder has published blog posts explaining how they got hacked by successfully exploiting a DNS rebinding vulnerability that allowed them to extract low-privileged AWS (Amazon Web Services) credentials. They discovered a DNS rebinding vulnerability in their platform after hacking themselves.
Although rare, DNS rebinding exploitation is a persistent threat. In 2018, Hackread.com reported cybersecurity firm Armis’ research, which revealed that over half a billion (496 million) IoT devices were found vulnerable to DNS rebinding, most used by enterprises.
Intruder’s penetration tester Daniel Thatcher noted that while the vulnerability’s impact was limited due to the prevailing security measures, the exploit indicates the feasibility of DNS rebinding attacks in time-constrained scenarios like penetration testing.
Further probing helped him achieve reliable split-second DNS rebinding in Chrome, Edge, and Safari browsers, which was surprising, specifically when IPv6 was available.
The vulnerability was discovered in Intruder’s screenshot workers, which capture snapshots of customer websites. Since these follow HTTP redirects before taking screenshots and lack restrictions on accessing the internal EC2 metadata service, it became possible to expose AWS credentials for available roles.
Leveraging this vulnerability, a public web server was set up to redirect to the EC2 metadata service endpoint. When a worker took a screenshot of this server, it captured the list of available roles, revealing sensitive information. Through further modification, Thatcher obtained actual credentials for a specific role.
Thatcher notified the DevOps team and tried to fix the issue by implementing network-level restrictions to prevent the “screenshotting tool from accessing the metadata service”, the blog read.
Daniel also switched workers to using IMDSv2, thinking this would prevent the attack by making it compulsory to include a token in a header in all requests to the metadata service by making a PUT request to a specific endpoint on the metadata service.
With HTTP redirects, such as those Intruder’s screenshot workers were following, it isn’t possible to set headers, make PUT requests or view their responses. That’s when it occurred to him that DNS rebinding could potentially enable them to bypass restrictions on major browsers and private network requests.
In browsers, traditional DNS rebinding allows attackers to access internal network services by tricking victims into loading a malicious website. However, given that modern web applications are driving headless browsers for their functionality, it’s become a useful tool for attacking web apps by returning both public (attacker-controlled) and target server IP addresses.
The attack relies on the browser first communicating with the public server and loading the attacker’s page. The attacker’s server then blocks traffic, forcing the browser to fall back to the target server, allowing JavaScript on the attacker’s page to send requests to the target server with the same origin.
The extracted credentials had minimal permissions and limited potential damage, but service disruption was possible. They could prevent further digging into AWS and possible harm by limiting access to other HTTP services.
Thatcher concluded that multiple security layers could minimise the attack surface even if the vulnerability was exploited. The screenshot worker vulnerability was patched with IMDSv2 implementation.
Strengthen Your Security Before External Threats Strike
Conducting ethical hacking or penetration testing, wherein you intentionally hack into your own network to identify security vulnerabilities, is a proactive and strategic approach to bolstering cybersecurity defences.
By simulating real-world attack scenarios, organizations can gain valuable insights into potential weaknesses that could be exploited by malicious actors. This self-imposed testing allows for the discovery of vulnerabilities before they can be maliciously leveraged by external threats.
Understanding these weaknesses enables organizations to implement strong security measures, apply necessary patches, and strengthen their defences, ultimately reducing the risk of unauthorized access, data breaches, or other cyber threats.
Simply put, hacking oneself provides an opportunity to address vulnerabilities beforehand, ensuring a more secure network environment before adversaries have a chance to exploit identified vulnerabilities.
RELATED ARTICLES
- Cybersecurity firm exposes 5 billion data breach records
- Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
- WH National Cybersecurity Strategy: Software Firms Liable for Breaches
- Cybersecurity firm Stormshield breach; customer data, source code stolen
- LockBit 3.0 Posts Dubious Claims of Darktrace Cybersecurity Firm Breach