From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Lizzie Dixon <_@lizzie.io> Newsgroups: gmane.lisp.guile.user,gmane.lisp.guile.devel Subject: Re: Guile security vulnerability w/ listening on localhost + port (with fix) Date: Fri, 14 Oct 2016 14:55:51 -0700 Message-ID: <20161014215551.GA31883@lizzie.io> References: <87k2dfc7dd.fsf@dustycloud.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" X-Trace: blaine.gmane.org 1476482210 1140 195.159.176.226 (14 Oct 2016 21:56:50 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 14 Oct 2016 21:56:50 +0000 (UTC) User-Agent: Mutt/1.6.0 (2016-04-01) Cc: guile-devel@gnu.org To: guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Fri Oct 14 23:56:46 2016 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bvAT6-0007nd-7L for guile-user@m.gmane.org; Fri, 14 Oct 2016 23:56:44 +0200 Original-Received: from localhost ([::1]:49591 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvAT2-0005TA-6C for guile-user@m.gmane.org; Fri, 14 Oct 2016 17:56:40 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57377) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>) id 1bvASe-0005Sf-O7 for guile-user@gnu.org; Fri, 14 Oct 2016 17:56:17 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <_@lizzie.io>) id 1bvASY-00033d-3d for guile-user@gnu.org; Fri, 14 Oct 2016 17:56:15 -0400 Original-Received: from smtp73.iad3a.emailsrvr.com ([173.203.187.73]:54695) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <_@lizzie.io>) id 1bvASK-0002x3-H9; Fri, 14 Oct 2016 17:55:56 -0400 Original-Received: from smtp34.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp34.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id BF3DB24E72; Fri, 14 Oct 2016 17:55:53 -0400 (EDT) X-Auth-ID: _@lizzie.io Original-Received: by smtp34.relay.iad3a.emailsrvr.com (Authenticated sender: _-AT-lizzie.io) with ESMTPSA id 322EF24E75; Fri, 14 Oct 2016 17:55:53 -0400 (EDT) X-Sender-Id: _@lizzie.io Original-Received: from localhost (75-101-102-4.dsl.static.fusionbroadband.com [75.101.102.4]) (using TLSv1.2 with cipher AES256-GCM-SHA384) by 0.0.0.0:465 (trex/5.7.7); Fri, 14 Oct 2016 17:55:53 -0400 Content-Disposition: inline In-Reply-To: <87k2dfc7dd.fsf@dustycloud.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 173.203.187.73 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:12952 gmane.lisp.guile.devel:18720 Archived-At: --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On 10/11, Christopher Allan Webber wrote: > The default in Guile has been to expose a port over localhost to which > code may be passed. The assumption for this is that only a local user > may write to localhost, so it should be safe. Unfortunately, users > simultaneously developing Guile and operating modern browsers are > vulnerable to a combination of an html form protocol attack [1] and a > DNS rebinding attack [2]. How to combine these attacks is published in > the article "How to steal any developer's local database" [3]. >=20 > In Guile's case, the general idea is that you visit some site which > presumably loads some javascript code (or tricks the developer into > pressing a button which performs a POST), and the site operator switches > the DNS from their own IP to 127.0.0.1. Then a POST is done from the > website to 127.0.0.1 with the body containing scheme code. This code is > then executed by the Guile interpreter on the listening port. You don't need to rebind DNS to exploit this bug, or other bugs like it. I wrote some details here: Best, Lizzie. --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYAVRnAAoJEMwYhWkbKfpid/QH/19B9hLPkMZXiQ/lBHgTV1HN /8YptbrixpEQiaIENFSdKB3NtDhlwwmFnfKBuw8iPadhfn8U3xynuNVi6ydcNcR1 CdqGJnHfNqJJzfERlRdgX3J0jAchHrVLqvtPQKOJiGIrR0NPjGL2pXdWXyWA8uAL SCyXd/7xndxSzO+DNx+DW/I1qYb+VRwZHfyMteuDLuvQI9x1iQ6okRP40yWTGDxo 8pKd9DUfCyUKW3FUVoBq+gV1Z5a7jdYawBjhDOEt+6EX5bHJDNbpRaQrdapedxfF Zq0XPJ7B27FZJ8MV0h70iej/EfxUTkOTruWFmac63pdfsSj4vEmj83/FF6ShqjM= =ISC6 -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q--