Mobile Security Framework (MobSF) Server-Side Request Forgery Vulnerability via DNS Rebinding
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in Mobile Security Framework (MobSF) version 4.3.1. The issue arises in the 'valid_host()' function, which uses 'socket.gethostbyname()' to resolve hostnames. This method is susceptible to SSRF attacks leveraging DNS rebinding, allowing an attacker to manipulate DNS responses and access internal resources or services.
Impact
Exploitation of this vulnerability allows for general server-side request forgery impacts, where an attacker can make the server perform requests on their behalf, potentially accessing internal services or resources that are not exposed to the public.
Reproduction
The vulnerability can be reproduced by sending a crafted hostname to the 'valid_host()' function. The hostname should be designed to first resolve to a public IP address (such as 1.1.1.1) and then, after the initial resolution, be rebounded to a private IP address (like 127.0.0.1) within a 30-second window. This can be achieved by manipulating DNS responses through a DNS server that the attacker controls.
Remediation
Users are advised to update to MobSF version 4.3.2, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.