From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Christopher Allan Webber <cwebber@dustycloud.org>
Newsgroups: gmane.lisp.guile.user,gmane.lisp.guile.devel
Subject: Guile security vulnerability w/ listening on localhost + port (with
	fix)
Date: Tue, 11 Oct 2016 09:01:18 -0500
Message-ID: <87k2dfc7dd.fsf@dustycloud.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
X-Trace: blaine.gmane.org 1476194876 10945 195.159.176.226 (11 Oct 2016 14:07:56 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 11 Oct 2016 14:07:56 +0000 (UTC)
User-Agent: mu4e 0.9.16; emacs 25.1.1
To: guile-devel@gnu.org, guile-user@gnu.org
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Tue Oct 11 16:07:51 2016
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Envelope-to: guile-user@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1btxiW-00014p-RK
	for guile-user@m.gmane.org; Tue, 11 Oct 2016 16:07:40 +0200
Original-Received: from localhost ([::1]:56004 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1btxiV-0000Zt-DD
	for guile-user@m.gmane.org; Tue, 11 Oct 2016 10:07:39 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45006)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1btxco-0005UA-KU
	for guile-user@gnu.org; Tue, 11 Oct 2016 10:01:52 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1btxcj-0005F4-F6
	for guile-user@gnu.org; Tue, 11 Oct 2016 10:01:46 -0400
Original-Received: from dustycloud.org ([50.116.34.160]:41490)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>)
	id 1btxcY-00054P-7O; Tue, 11 Oct 2016 10:01:30 -0400
Original-Received: from oolong (localhost [127.0.0.1])
	by dustycloud.org (Postfix) with ESMTPS id 611A326635;
	Tue, 11 Oct 2016 10:01:19 -0400 (EDT)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 50.116.34.160
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-user/>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Original-Sender: "guile-user" <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.user:12936 gmane.lisp.guile.devel:18711
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/12936>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

The Guile team has just pushed out a new commit on the Guile stable-2.0
branch addressing a security issue for Guile.  There will be a release
shortly as well.  The commit is
08c021916dbd3a235a9f9cc33df4c418c0724e03, or for web viewing purposes:

  http://git.savannah.gnu.org/cgit/guile.git/commit/?h=3Dstable-2.0&id=3D08=
c021916dbd3a235a9f9cc33df4c418c0724e03

Due to the nature of this bug, Guile applications themselves in general
aren't vulnerable, but Guile developers are.  Arbitrary scheme code may
be used to attack your system in this scenario.

There is also a lesson here that applies beyond Guile: the presumption
that "localhost" is only accessible by local users can't be guaranteed
by modern operating system environments.  If you are looking to provide
local-execution-only, we recommend using unix domain sockets or named
pipes.  Don't rely on localhost plus some port.

To give context, Guile supports a nice live-hacking feature where a user
can expose a REPL to connect to, through Geiser
(http://www.nongnu.org/geiser/) or so on.  This allows Guile users to
hack programs even while programs are running.

The default in Guile has been to expose a port over localhost to which
code may be passed.  The assumption for this is that only a local user
may write to localhost, so it should be safe.  Unfortunately, users
simultaneously developing Guile and operating modern browsers are
vulnerable to a combination of an html form protocol attack [1] and a
DNS rebinding attack [2].  How to combine these attacks is published in
the article "How to steal any developer's local database" [3].
=20=20

In Guile's case, the general idea is that you visit some site which
presumably loads some javascript code (or tricks the developer into
pressing a button which performs a POST), and the site operator switches
the DNS from their own IP to 127.0.0.1.  Then a POST is done from the
website to 127.0.0.1 with the body containing scheme code.  This code is
then executed by the Guile interpreter on the listening port.

The version we are releasing mitigates this problem by detecting
incoming HTTP connections and closing them before executing any code.

However, there is a better long term solution, which is already
available even to users of older versions of Guile: Guile supports unix
domain sockets in POSIX environments.  For example, users may run the
command:

  guile --listen=3D/tmp/guile-socket

to open and listen to a socket at `/tmp/guile-socket`.  Geiser users may
then connect using `M-x geiser-connect-local`.  This is considerably
safer.

We hope that other program authors take heed of this lesson as well:
many programs make use of localhost + port as a way of limiting
connections.  Unfortunately, in today's complex networked environment,
this isn't a safe assumption.  It's very difficult to predict what
programs may provide a way of chaining requests to an application
listening on localhost, and certainly difficult on a system where
web browsers are involved.  Take heed!

[1] https://www.jochentopf.com/hfpa/
[2] https://en.wikipedia.org/wiki/DNS_rebinding
[3] http://bouk.co/blog/hacking-developers/

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX/PCuAAoJEEvAJZJf+PTTB1YQANNnEmTYvlx7ib1dndYqEClE
MsPD9ry/AE9jPHi0hj4PSwXpf1XeZuO7lWd3nPyl5MMhcbMFmVOIIccxmApACgX2
oCwNWsk5fv4V9PsD5wMYnuJWzwwL4j/ZvGKng2Trh7OsOC9JXG1fkxEXlQnJVQVu
r07SDMXnZ8AcywAL493bh6MgOtwOlJKV3FY4YFlhFlnnV2N+3LhNZ5suP0suGsVP
Jt+KsVMBv2VifYCmhr7egqo7/9CphjSB2PzKaN2+2Qj3sluCf+0Gtvv44RQCAhQ6
M/WWES+wwFLcwBy9NyoPFb9JypMwcb/JCZ5MNLdrZe1Q/uvOt2E0PtTutDTunlyK
OS7FH0nLfm1n8e850YYCBADUfm1yv/PTkJaDjiYXpw2DY+A1OBOrWfrJUidhtTC2
0OwNCLfgaqnNcr9hZSewYkpzZtiaM+XLq5x2Ojq88d50QqJUWPY8B368KWDRriSj
XqQKCRBHEAhDKazGIlNDcSjD2nnI+D+12nyFokEvW+kwEXkc67r5ZRdZ5RhxPOUJ
C4u45fImfJBlTjLZ5t0kK4wpRWUuSwJaRP+5FFuDQQ+bWcuC7vNIBcyCxgNkjG2i
7E8YFBKWx44QMr0mg25OtoOBM3rmS3hldBSRzMFyxnWxypZGNW/kr5xS3B3iWQ+a
4yU/UkZluw8SNsHxhLc8
=0h45
-----END PGP SIGNATURE-----
--=-=-=--