From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Christopher Allan Webber <cwebber@dustycloud.org>
Newsgroups: gmane.lisp.guile.user,gmane.lisp.guile.devel
Subject: Re: Guile security vulnerability w/ listening on localhost + port
	(with fix)
Date: Sun, 16 Oct 2016 10:05:07 -0500
Message-ID: <87lgxo9vx8.fsf@dustycloud.org>
References: <87k2dfc7dd.fsf@dustycloud.org> <20161014215551.GA31883@lizzie.io>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1476630368 15944 195.159.176.226 (16 Oct 2016 15:06:08 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sun, 16 Oct 2016 15:06:08 +0000 (UTC)
User-Agent: mu4e 0.9.16; emacs 25.1.1
Cc: guile-user@gnu.org, guile-devel@gnu.org
To: Lizzie Dixon <_@lizzie.io>
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Oct 16 17:06:03 2016
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Envelope-to: guile-user@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1bvn0l-0003Ug-Fj
	for guile-user@m.gmane.org; Sun, 16 Oct 2016 17:06:03 +0200
Original-Received: from localhost ([::1]:56659 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1bvn0n-000305-IW
	for guile-user@m.gmane.org; Sun, 16 Oct 2016 11:06:05 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36501)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1bvn0E-0002yo-Eq
	for guile-user@gnu.org; Sun, 16 Oct 2016 11:05:31 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1bvn0D-0000Ww-AY
	for guile-user@gnu.org; Sun, 16 Oct 2016 11:05:30 -0400
Original-Received: from dustycloud.org ([50.116.34.160]:51762)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>)
	id 1bvn08-0000VC-SK; Sun, 16 Oct 2016 11:05:24 -0400
Original-Received: from oolong (localhost [127.0.0.1])
	by dustycloud.org (Postfix) with ESMTPS id 1358326648;
	Sun, 16 Oct 2016 11:05:13 -0400 (EDT)
In-reply-to: <20161014215551.GA31883@lizzie.io>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 50.116.34.160
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-user/>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Original-Sender: "guile-user" <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.user:12954 gmane.lisp.guile.devel:18722
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/12954>

Lizzie Dixon writes:

> Hi,
>
> On 10/11, Christopher Allan Webber wrote:
>> The default in Guile has been to expose a port over localhost to which
>> code may be passed.  The assumption for this is that only a local user
>> may write to localhost, so it should be safe.  Unfortunately, users
>> simultaneously developing Guile and operating modern browsers are
>> vulnerable to a combination of an html form protocol attack [1] and a
>> DNS rebinding attack [2].  How to combine these attacks is published in
>> the article "How to steal any developer's local database" [3].
>
>> 
>> In Guile's case, the general idea is that you visit some site which
>> presumably loads some javascript code (or tricks the developer into
>> pressing a button which performs a POST), and the site operator switches
>> the DNS from their own IP to 127.0.0.1.  Then a POST is done from the
>> website to 127.0.0.1 with the body containing scheme code.  This code is
>> then executed by the Guile interpreter on the listening port.
>
> You don't need to rebind DNS to exploit this bug, or other bugs like
> it. I wrote some details here:
>
> <https://blog.lizzie.io/exploiting-CVE-2016-8606.html>
>
> Best,
>
> Lizzie.

Hi Lizzie!  Thanks for the post.  Interesting to see you figured out how
to do it with a GET request, not just a POST.  So, I guess this will
work from a public site as well?  I'm always a bit fuzzy about what
browsers do and don't allow, but I'm stunned that a browser will let a
request from some http://foo.example/ to http://localhost:37146/, even
for just a GET.  It seems like there are all sorts of daemons you can
exploit that way.

Anyway, thanks for the interesting blogpost, and kudos for using Guile
to write your example!
 - Chris