rebindMultiA: tool to perform a Multiple A Record Rebind attack

by do son · Published May 14, 2023 · Updated May 15, 2023

rebindMultiA

rebindMultiA is a tool to perform a Multiple A Record rebind attack.

rebindmultia.com is a domain that I’ve set up to assist with these attacks. It makes every IP its own authoritative nameserver for the domain [IP].ns.rebindmultia.com. For example, 13.33.33.37.ns.rebindmultia.coms’ authoritative nameserver is 13.33.33.37.ip.rebindmultia.com which resolves (as you might have guessed) to 13.33.33.37.

Multiple A Record Rebind Attack

The Multi A Record Rebind attack is a variant of DNS Rebinding that weaponizes an attacker’s ability to respond with two IP addresses in response to a DNS request and the browser’s tendency to fallback to the second IP in the DNS response when the first one doesn’t respond. In this attack, the attacker will configure a malicious DNS server and two malicious HTTP servers. The DNS server will respond with two A records:

127.0.0.1.target.13.33.33.37.ns.rebindmultia.com. 0 IN A 13.33.33.37
127.0.0.1.target.13.33.33.37.ns.rebindmultia.com. 0 IN A 127.0.0.1

The victim browser will then connect to the first IP and begin interacting with the attacker’s first malicious HTTP server. This server will respond with a page that contains two iframes, one to /steal and one to /rebind. The /steal iframe will load up a malicious page to reach into the second iframe and grab the content. The /rebind endpoint, when hit, will issue a 302 redirect to / and kill the first malicious HTTP server. As a result, when the browser reaches back out to the attacker’s HTTP server, it will be met with a closed port. As such, it will fallback to the second IP. Once the target content has been loaded in the second iframe, the first iframe can reach into it, steal the data, and exfiltrate it to the attacker’s second malicious HTTP server – the callback server.

This attack only works in a Windows environment. Linux and Mac will default to the private IP first and the attacker’s server will never be queried.

Graphic + Explaination

The browser resolves the host 127.0.0.1.target.13.33.33.37.ns.rebindmultia.com.
The DNS server (included in server.py) parses the requested dns name and returns two A records: 13.33.33.37 and 127.0.0.1.
The victim’s browser reaches out to the attacker’s malicious HTTP server (included in server.py) and loads the /parent page which has two iframes.
The victim’s browser loads /steal from the attacker’s malicious HTTP server.
The victim’s browser loads /rebind which results in a 302 redirect to / (the HTTP server will exit after this request).
The victim’s browser redirects to / per the 302 from the attacker’s server.
The victim’s browser attempts to load / from the attacker’s (now dead) HTTP server but fails to do so.
The browser then shifts to the second IP in the DNS cache and resolves the hostname to 127.0.0.1. It then reaches out to that server and loads up the page in the iframe.
The attacker’s steal iframe reaches into the newly loaded second iframe and grabs the content.
The attacker’s steal iframe then sends the results back to the attacker’s callback server.