DNS Rebinding Vulnerability In MITMWEB Interface Allows Remote Python Script Execution

The CVE-2018-14505 label was given to a vulnerability discovered in Mitmproxy’s web-based user interface, mitmweb. The vulnerability was initially encountered by Josef Gajdusek in Prague who described that the lack of protection against DNS rebinding in the mitmweb interface could lead to malicious websites accessing data or remotely running arbitrary Python scripts on the file system by setting the scripts config option.

A proof of concept was also provided by Gajdusek to showcase a possible exploit.

This proof of concept was based upon another closely related generic proof of concept by Travis Ormandy.

It seems that the best way to mitigate this immediately is by making the hostname match ‘(localhost|\d+\.\d+\.\d+\.\d+)’ so that users can avoid the DNS rebinding vulnerability whilst being able to access mitmweb from other hosts as well. A more permanent solution would entail the adoption of a jupyter-style solution in which the web interface would be password protected and would pass an access token to the webbrowser.open call. Host header based whitelist could also be implemented to achieve the same effect allowing localhost or IP address access by default. An ipv6 supporting code to improve protection against DNS rebinding was written by the mitmproxy developer and PhD student Maximilian Hils in response to the registration of this vulnerability with CVE MITRE.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.