Haxatron1H1:1710652Node.js: DNS rebinding in --inspect via invalid octal IP address
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.3%
Summary
The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.
An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system.
Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code
Steps To Reproduce:
- Add entry to /etc/hosts
127.0.0.1 1.09.0.0
- Start
node --inspect - Visit http://1.09.0.0:9229/json on Firefox (tested on m105)
- JSON file shows. This proves Firefox is resolving 1.09.0.0 to 127.0.0.1 via DNS. Additionally, you may use Wireshark to see that Firefox is sending DNS requests to 1.09.0.0 (without the /etc/hosts entry of course!)
Impact
Bypass the DNS rebinding protection for --inspect and execute arbitrary code
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.3%