WeKnora DNS Rebinding Vulnerability in web_fetch Tool Allows Server-Side Request Forgery

A DNS rebinding vulnerability has been identified in the WeKnora framework, specifically in versions through 0.2.14, within the web_fetch tool. This vulnerability allows an unauthenticated attacker to bypass URL validation and access internal server resources, including private IP addresses. The issue arises from incomplete DNS pinning, enabling a time-of-check-time-of-use (TOCTOU) attack. By crafting a malicious domain that resolves to a public IP during validation and then to a private IP during execution, an attacker can access sensitive local services and potentially exfiltrate data. The vulnerability has been patched in version 0.3.0.

Impact

Exploitation of this vulnerability leads to server-side request forgery (SSRF), allowing access to internal services and sensitive resources typically restricted to the internal network. In cloud environments, this could include access to metadata endpoints that provide credentials and secrets.

Reproduction

To reproduce this vulnerability, deploy a DNS rebinding server that returns a public IP for the first DNS query and a private IP for subsequent queries. Set up a local HTTP server on a restricted port and configure the malicious domain to point to the DNS rebinding server. Once the web_fetch tool is enabled, prompt it to fetch content from the attacker-controlled domain. The tool will bypass the initial validation check and access the local server, demonstrating that internal resources are accessible through the rebinding attack.

Remediation

Users are advised to update WeKnora to version 0.3.0 or later, where this vulnerability has been patched.