From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Lizzie Dixon <_@lizzie.io>
Newsgroups: gmane.lisp.guile.user,gmane.lisp.guile.devel
Subject: Re: Guile security vulnerability w/ listening on localhost + port
	(with fix)
Date: Fri, 14 Oct 2016 14:55:51 -0700
Message-ID: <20161014215551.GA31883@lizzie.io>
References: <87k2dfc7dd.fsf@dustycloud.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q"
X-Trace: blaine.gmane.org 1476482210 1140 195.159.176.226 (14 Oct 2016 21:56:50 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 14 Oct 2016 21:56:50 +0000 (UTC)
User-Agent: Mutt/1.6.0 (2016-04-01)
Cc: guile-devel@gnu.org
To: guile-user@gnu.org
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Fri Oct 14 23:56:46 2016
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Envelope-to: guile-user@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1bvAT6-0007nd-7L
	for guile-user@m.gmane.org; Fri, 14 Oct 2016 23:56:44 +0200
Original-Received: from localhost ([::1]:49591 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1bvAT2-0005TA-6C
	for guile-user@m.gmane.org; Fri, 14 Oct 2016 17:56:40 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57377)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>)
	id 1bvASe-0005Sf-O7
	for guile-user@gnu.org; Fri, 14 Oct 2016 17:56:17 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <_@lizzie.io>) id 1bvASY-00033d-3d
	for guile-user@gnu.org; Fri, 14 Oct 2016 17:56:15 -0400
Original-Received: from smtp73.iad3a.emailsrvr.com ([173.203.187.73]:54695)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <_@lizzie.io>)
	id 1bvASK-0002x3-H9; Fri, 14 Oct 2016 17:55:56 -0400
Original-Received: from smtp34.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp34.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id
	BF3DB24E72; Fri, 14 Oct 2016 17:55:53 -0400 (EDT)
X-Auth-ID: _@lizzie.io
Original-Received: by smtp34.relay.iad3a.emailsrvr.com (Authenticated sender:
	_-AT-lizzie.io) with ESMTPSA id 322EF24E75; 
	Fri, 14 Oct 2016 17:55:53 -0400 (EDT)
X-Sender-Id: _@lizzie.io
Original-Received: from localhost (75-101-102-4.dsl.static.fusionbroadband.com
	[75.101.102.4]) (using TLSv1.2 with cipher AES256-GCM-SHA384)
	by 0.0.0.0:465 (trex/5.7.7); Fri, 14 Oct 2016 17:55:53 -0400
Content-Disposition: inline
In-Reply-To: <87k2dfc7dd.fsf@dustycloud.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 173.203.187.73
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-user/>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Original-Sender: "guile-user" <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.user:12952 gmane.lisp.guile.devel:18720
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/12952>


--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

On 10/11, Christopher Allan Webber wrote:
> The default in Guile has been to expose a port over localhost to which
> code may be passed.  The assumption for this is that only a local user
> may write to localhost, so it should be safe.  Unfortunately, users
> simultaneously developing Guile and operating modern browsers are
> vulnerable to a combination of an html form protocol attack [1] and a
> DNS rebinding attack [2].  How to combine these attacks is published in
> the article "How to steal any developer's local database" [3].

>=20
> In Guile's case, the general idea is that you visit some site which
> presumably loads some javascript code (or tricks the developer into
> pressing a button which performs a POST), and the site operator switches
> the DNS from their own IP to 127.0.0.1.  Then a POST is done from the
> website to 127.0.0.1 with the body containing scheme code.  This code is
> then executed by the Guile interpreter on the listening port.

You don't need to rebind DNS to exploit this bug, or other bugs like
it. I wrote some details here:

<https://blog.lizzie.io/exploiting-CVE-2016-8606.html>

Best,

Lizzie.

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYAVRnAAoJEMwYhWkbKfpid/QH/19B9hLPkMZXiQ/lBHgTV1HN
/8YptbrixpEQiaIENFSdKB3NtDhlwwmFnfKBuw8iPadhfn8U3xynuNVi6ydcNcR1
CdqGJnHfNqJJzfERlRdgX3J0jAchHrVLqvtPQKOJiGIrR0NPjGL2pXdWXyWA8uAL
SCyXd/7xndxSzO+DNx+DW/I1qYb+VRwZHfyMteuDLuvQI9x1iQ6okRP40yWTGDxo
8pKd9DUfCyUKW3FUVoBq+gV1Z5a7jdYawBjhDOEt+6EX5bHJDNbpRaQrdapedxfF
Zq0XPJ7B27FZJ8MV0h70iej/EfxUTkOTruWFmac63pdfsSj4vEmj83/FF6ShqjM=
=ISC6
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--