- Attackers do not know private network address ranges ahead of time.
- Cross-domain access is restricted by the same-origin policy.
Finding Network DevicesThe most common technique is to simply guess common network addresses. This can be quite effective for certain devices like routers. This is why I suggest using non-default IP ranges on home routers. There is also a more sophisticated technique I’ve previously referred to as Smart CSRF. This process uses STUN on supported browsers to recover a local IP. (Interestingly, Chrome may be the only browser supporting this in a current release.)
Working Around the Same-Origin Policy (SOP)Armed with knowledge of a device IP address, some attacks become quite trivial to carry out. For example, the NETGEAR cgi-bin command injection can be exploited with a simple IMG tag to trigger a GET request. Other attacks, however, require that the attacker has more interaction with the vulnerable system than simply sending data and, therefore, traditional CSRF techniques fail. The same-origin policy prevents attackers from reading this response data, so we must use DNS rebinding. Tavis Ormandy has a domain, rbndr.us, which is running his Simple DNS Rebinding Service, but I opted to create a small Python implementation and varied my approach slightly. Whereas Tavis’ rbndr implementation alternates between targeted addresses, I had better results when my server responded only once with my public IP. My implementation packages a very basic HTTP server and DNS server in about 100 lines of Python. Example output (with my domain name redacted) is shared below:
Putting the Pieces TogetherAs a proof-of-concept, I exploited VERT’s NETGEAR Centria router using an authentication bypass to exploit command injection on a form including a CSRF token. Successful end-to-end exploitation includes:
- Victim loads an IFRAME from an attacker controlled domain.
- Each IP on the victim’s /24 is queried for a path expected to exist on the router.
- The token value is used to construct a domain name and update the IFRAME location.
- The timer callback makes requests to the crafted domain.
- After the DNS entry expires, the domain is resolved to a LAN IP.
- The timer callback can now fetch the CSRF token with an auth bypass.
- An attack payload is sent with the observed timestamp.