zui
zui copied to clipboard
Security risk: vulnerable to dns rebinding attacks
Brim listens on port 9867 by default, without authentication, without checking host, you can use dns rebinding attack to obtain data in brim
Attack example
The victim opens brim and imports pcap for analysis Analysis found a url, copied and opened in browser (it was a malicious link) The website uses dns rebinding to attack brim (port 9867) to obtain data (just like the client)
Mitigation
Check the host, only allow localhost or 127.0.0.1, no other hosts are allowed Or use authentication, preferably randomly generated password or listen on a random port (increase the cost of the attack, but it can still be attacked in essence)
@ttttmr Thank you for bringing this to my attention. I'll be working with the backend zed serve team to find a way to fix this.
Also, thank you for the clear example and the steps to mitigate. That was very helpful.