-
Notifications
You must be signed in to change notification settings - Fork 143
Common Issues
You may see the following CORS error message in the browser console:
Access to fetch at 'http://s-35.185.206.165-192.168.1.1-3211175580-fs-e.d.rebind.it/' from origin 'http://s-35.185.206.165-192.168.1.1-3211175580-fs-e.d.rebind.it' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `private`.
This error message is caused by Local Network Access, a new draft W3C specification currently implemented in some browsers such as Chrome. Local Network Access prevents access from a public network to a less public address space such as private IP addresses and localhost. We explained the Local Network Access and its impact on DNS rebinding in our State of DNS Rebinding 2023 blog post at https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/. The blog post shows two possible ways to bypass Local Network Access:
- Using 0.0.0.0 to access services running on a host loopback, and private network interfaces
- Using a Router's Public IP Address to access services bound to the router's internal network interface
The IP address 0.0.0.0 allows us to access the localhost on Linux and macOS systems. During our initial research of DNS rebinding attacks, we documented this attack vector for allowing DNS rebinding protection bypasses.
Using the IP address 0.0.0.0 also bypasses local network access protections in Chrome (and its derivatives such as Edge).
This allows us to perform DNS rebinding attacks targeting services listening on the localhost of Linux and macOS systems in Chrome, in approximately 3 seconds.
In 2010, Craig Heffner discovered and developed a DNS rebinding technique, covered during our DEF CON 27 presentation, to exploit the weak host model, which can be used to bypass Chrome's local network access protection. In this bypass, we access an internal router's web interface (e.g. WiFi router) through the public IP address instead of the internal (private) IP address.
Most WiFi routers allow access to their management web interface only through the internal interface using the private IP address to prevent access from the Internet. As the router usually has a public IP address assigned, some routers allow access to the web interface through the public IP address if the access comes from the internal network interface (Martian packet).
This allows us to perform DNS rebinding attacks targeting the public IP address where local network access does not apply. We have successfully tested DNS rebinding in Chrome targeting a home router's public IP address. The attack works particularly well with Netgear routers.