The vulnerability in MobSF’s `valid_host()` function arises due to improper DNS rebinding protection. The function checks host validity by resolving the domain once using socket.gethostbyname(), but it fails to revalidate subsequent requests, allowing attackers to bypass SSRF protections via DNS rebinding.
An attacker crafts a malicious domain that initially resolves to a whitelisted IP (e.g., 1.1.1.1) but later rebinds to a restricted IP (e.g., 127.0.0.1). The initial check passes, but subsequent requests access internal services. The PoC demonstrates this by generating a domain that changes resolution after the first lookup, enabling SSRF exploitation.
DailyCVE Form:
Platform: MobSF
Version: Pre-commit ae34f7c
Vulnerability: SSRF via DNS Rebinding
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploit:
malicious_host = "attacker-controlled.rebind.domain" valid, ip = valid_host(malicious_host) Initial resolve: 1.1.1.1 time.sleep(1) internal_ip = socket.gethostbyname(malicious_host) Rebinds to 127.0.0.1
Protection:
1. Revalidation:
def safe_valid_host(host): valid, ip = valid_host(host) if valid: new_ip = socket.gethostbyname(host) Re-resolve if new_ip != ip: return False, None return valid, ip
2. DNS Cache:
Flush DNS cache (Linux): sudo systemd-resolve --flush-caches
3. Network Hardening:
Block outbound DNS to untrusted servers iptables -A OUTPUT -p udp --dport 53 -j DROP
Analytics:
- Attack Vector: Network
- Complexity: Low
- CVSS Score: 9.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
References:
References:
Reported By: https://github.com/advisories/GHSA-fcfq-m8p6-gw56
Extra Source Hub:
Undercode
