Ethereum clients found to be vulnerable to DNS rebind attack

Recently a Geth (and other ethereum clients) exploit making use of DNS Rebinding was found and shared on HackerNews. The exploit allows an attacker to access the JSON-RPC on the ethereum client using DNS rebinding. The repercussions of this exploit are severe, as it would allow the attacker complete control over your ethereum client.

The Ethereum Foundation has reportedly been made aware of the issue. Though it does not seem to see the threat the attack poses.

“This has been reported to the ethereum foundation but they don’t consider it a valid vulnerability.” – End of @ret2got’s blog post on the issue.

How does it work?

This attack makes use of something called DNS rebinding. DNS, or Domain Name System, is what allows computers to use names, called domains, to access servers. It works by having a server that acts like a phone book, allowing other computers to lookup the IP address (phone number) of a domain (person). For example, the link blockexplorer.com/news tells your computer to fetch the page ‘news’ at the server that blockexplorer.com points to (104.25.81.112 at the time of writing).

A critical part of how this attack works is the attacker making their own server the phone book for a domain they control. DNS rebinding itself refers to the practice of changing a domain’s address between lookups.

When you connect to the attacker’s website, your computer asks the internet where it can ask what the address of their domain is. The internet responds with “Go here and ask this server that”, with a link to the attacker’s DNS server. Once that interaction happens, the attacker’s server responds with the correct address for its website.

Now that you’ve loaded the attacker’s webpage, the attack can start. The attacker’s server gives your computer a webpage with some malicious javascript on it. This javascript is what attacks your ethereum client. When the javascript runs, it again looks up the domain but now the attacker’s DNS server says that the domain points to the special address 127.0.0.1, instead of the real address. The special address 127.0.0.1 is also referred to as localhost, any requests to it are directed to the computer they come from, this lets the malicious javascript talk to your ethereum client, and control it completely.

Why does this attack work?

Normally, your browser will stop requests going from a webpage to anywhere other than the server the webpage came from. This attack works because your web browser thinks that it’s still talking to the server the webpage is on. The address was re-bound while it was on the web page.

Proof of concept

The blog post also had a proof of concept link that demonstrates the attack by listing the ethereum addresses and the balances thereof on your computer when you connect to it. We will refrain from linking the proof, but it is simple to find on the blog for those interested.

Mitigation

The best mitigation at the moment is to make use of a NoScript plugin. Which stop javascript from running altogether. Though this may break some web pages. Otherwise, make sure to not follow any suspicious links.

Be the first to comment

Leave a Reply

Your email address will not be published.


*