{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dns-rebinding/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["aVideo (\u003c= 29.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","avideo","dns-rebinding"],"_cs_type":"advisory","_cs_vendors":["wwbn"],"content_html":"\u003cp\u003eAVideo, version 29.0 and earlier, contains a Server-Side Request Forgery (SSRF) vulnerability due to insufficient validation of user-supplied URLs. Specifically, the \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function, intended to prevent SSRF attacks, fails to account for HTTP redirects. This allows an attacker to bypass the intended security checks by providing a URL that initially appears safe but redirects to an internal resource, such as cloud metadata endpoints (169.254.169.254). Additionally, multiple callers of \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e discard the \u003ccode\u003e$resolvedIP\u003c/code\u003e parameter, creating a Time-of-Check Time-of-Use (TOCTOU) race condition exploitable via DNS rebinding. Attackers can manipulate DNS resolution to access internal services (127.0.0.1) that would otherwise be protected. Successful exploitation can lead to the disclosure of sensitive information, such as IAM credentials and internal service details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL pointing to a server they control.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server responds with a 302 redirect to an internal resource (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the initial malicious URL to a vulnerable AVideo endpoint (e.g., \u003ccode\u003e/plugin/AI/receiveAsync.json.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e function validates the initial URL, which resolves to a public IP address, and incorrectly passes the check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efile_get_contents()\u003c/code\u003e function, without proper redirect restrictions, follows the 302 redirect to the internal resource.\u003c/li\u003e\n\u003cli\u003eThe request is made to the internal resource, bypassing the intended SSRF protections.\u003c/li\u003e\n\u003cli\u003eThe internal resource (e.g., cloud metadata) responds with sensitive information.\u003c/li\u003e\n\u003cli\u003eThe sensitive information (e.g., IAM credentials) is stored as a video thumbnail or image within the application, accessible to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an authenticated attacker to force the AVideo server to make HTTP requests to arbitrary internal hosts. This includes cloud metadata endpoints (e.g., 169.254.169.254), potentially leading to the exfiltration of IAM credentials and instance identity information. Attackers can also access internal services on localhost (127.0.0.1) or the private network, such as databases, admin panels, and monitoring systems. The exfiltrated data can be retrieved through the application\u0026rsquo;s public interface, increasing the severity of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix by routing affected files through \u003ccode\u003eurl_get_contents()\u003c/code\u003e to safely handle redirects, as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003eAs an alternative to using \u003ccode\u003eurl_get_contents()\u003c/code\u003e, implement an explicit no-redirect context when calling \u003ccode\u003efile_get_contents()\u003c/code\u003e to prevent automatic redirect following.\u003c/li\u003e\n\u003cli\u003eUpdate all callers of \u003ccode\u003eisSSRFSafeURL()\u003c/code\u003e to capture the \u003ccode\u003e$resolvedIP\u003c/code\u003e parameter and pass it to a DNS-pinning-aware fetch function using \u003ccode\u003eCURLOPT_RESOLVE\u003c/code\u003e to mitigate DNS rebinding attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing internal IP addresses (169.254.169.254, 127.0.0.1) in the URL, as these may indicate SSRF attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-avideo-ssrf/","summary":"AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs that does not prevent HTTP redirects, and DNS rebinding due to discarded resolved IP addresses.","title":"AVideo SSRF Vulnerability via HTTP Redirect and DNS Rebinding","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Dns-Rebinding","version":"https://jsonfeed.org/version/1.1"}