DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
Posted: Mon Jan 13, 2025 4:32 am
DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices) (High) (CVE-2022-32212, CVE-2018-7160)
The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0 URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain.
https://hackerone.com/reports/1714979
The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0 URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain.
https://hackerone.com/reports/1714979