{"id":13542159,"url":"https://github.com/taviso/rbndr","last_synced_at":"2025-04-05T11:08:51.147Z","repository":{"id":37271487,"uuid":"50548147","full_name":"taviso/rbndr","owner":"taviso","description":"Simple DNS Rebinding Service","archived":false,"fork":false,"pushed_at":"2020-01-16T22:40:58.000Z","size":23,"stargazers_count":650,"open_issues_count":4,"forks_count":78,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-29T10:06:52.358Z","etag":null,"topics":["dns","dns-rebinding","vulnerability"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/taviso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-28T02:30:17.000Z","updated_at":"2025-03-24T09:44:15.000Z","dependencies_parsed_at":"2022-07-12T09:31:03.227Z","dependency_job_id":null,"html_url":"https://github.com/taviso/rbndr","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Frbndr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Frbndr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Frbndr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Frbndr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/taviso","download_url":"https://codeload.github.com/taviso/rbndr/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247325693,"owners_count":20920714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-rebinding","vulnerability"],"created_at":"2024-08-01T10:01:02.213Z","updated_at":"2025-04-05T11:08:51.106Z","avatar_url":"https://github.com/taviso.png","language":"C","readme":"# rbndr\nSimple DNS Rebinding Service\n\nrbndr is a very simple, non-conforming, name server for testing software against DNS rebinding vulnerabilities. The server responds to queries by randomly selecting one of the addresses specified in the hostname and returning it as the answer with a very low ttl.\n\nhttps://en.wikipedia.org/wiki/DNS_rebinding\n\nDNS rebinding is a form of TOCTOU (time of check, time of use) vulnerability. You would use it if you have a service that uses \"preflight\" checks incorrectly to modify security properties. For example, consider a (fictional) browser plugin that has an api like this:\n\n```\nAllowUntrustedAccess(\"foobar.com\");\nSendArbitraryRequests(\"foobar.com\");\n```\n\nAnd `AllowUntrustedAccess()` simply sends a preflight HTTP request to the host:\n\n```\nGET /CanIDisableSecurity HTTP/1.1\n```\n\nIf the service returns 200, then the plugin allows the hostpage complete access to that hostname. This might be a security vulnerability, because you can specify a rbndr hostname that will switch between a host you control and a host you don't. The plugin might allow complete access to an arbitrary ip address (e.g. an internal service, or localhost) even if that service would not normally permit the preflight check.\n\nThis might sound unrealistic, but that's exactly how Adobe Flash, Oracle Java and lots of other products worked in the past, and many other products still work.\n\nRead about how Adobe tried to resolve this problem in Flash here, https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html\n\nFor software that is vulnerable to this class of attack, rbndr is an easy way to test without having to modify `/etc/hosts` or setup your own nameserver. If the software associates the result with just the *hostname* and not the hostname and ip address, then you can grant yourself access to any ip address. \n\nThe format for hostnames is simply\n\n```\n\u003cipv4 in base-16\u003e.\u003cipv4 in base-16\u003e.rbndr.us\n```\n\nBut you can use this website to convert from dotted quads if you prefer:\n\nhttps://lock.cmpxchg8b.com/rebinder.html\n\n\nFor example, to switch between `127.0.0.1` and `192.168.0.1` you would encode them as dwords, and then use:\n\n```\n7f000001.c0a80001.rbndr.us\n```\n\nLet's test it out:\n\n```\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 192.168.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 192.168.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 192.168.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 127.0.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 127.0.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 192.168.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 127.0.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 127.0.0.1\n$ host 7f000001.c0a80001.rbndr.us\n7f000001.c0a80001.rbndr.us has address 192.168.0.1\n\n```\n\nAs you can see, the server randomly returns one of the addresses. You might do something like this (in pseudo-code):\n\n```\n// Keep calling api until it resolves to the address you control and you get granted access\nwhile (AllowUntrustedAccesss(\"7f000001.c0a80001.rbndr.us\") != true)\n  ;\n\n// Access granted, now wait for it to re-bind\nwhile (ConnectToPort(\"7f000001.c0a80001.rbndr.us\", 123) != true)\n ;\n \n // Now you have access to localhost:123 even though localhost did not opt-in to reduced security.\n SomethingEvil();\n```\n\n","funding_links":[],"categories":["Exploitation","C"],"sub_categories":["Server Side Request Forgery"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Frbndr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftaviso%2Frbndr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Frbndr/lists"}