Blizzard Update Agent - JSON RPC DNS Rebinding

EDB-ID: 43879
Author: Google Security Research
Published: 2018-01-23
CVE: N/A
Type: Local
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  
The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:

$ curl -si http://localhost:1120/agent
HTTP/1.0 200 OK
Content-Length: 359

{
"pid" : 3140.000000,
"user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
"user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
"state" : 1004.000000,
"version" : "2.13.4.5955",
"region" : "us",
"type" : "retail",
"opt_in_feedback" : true,
"session" : "15409717072196133548",
"authorization" : "11A87920224BD1FB22AF5F868CA0E789"
}

This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.

I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

To be clear, this means that *any* website can send privileged commands to the agent.

I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:

https://lock.cmpxchg8b.com/rebinder.html

Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:

$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1

Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).

I just wait for the cached response to expire, and then POST commands to the server.

Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.

I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!

http://lock.cmpxchg8b.com/yah4od7N.html

See screenshot attached of how it's supposed to look.

Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip

Related Posts