| 1 |
Hi, |
| 2 |
|
| 3 |
if this hasn't already caught your interest here's a forward from |
| 4 |
guile-dev, should be of interest of the people maintaining guile on |
| 5 |
Gentoo. Below follows the message: |
| 6 |
|
| 7 |
|
| 8 |
From: Christopher Allan Webber <cwebber@××××××××××.org> |
| 9 |
To: guile-devel@×××.org, guile-user@×××.org |
| 10 |
Subject: Guile security vulnerability w/ listening on localhost + port (with |
| 11 |
fix) |
| 12 |
Date: Tue, 11 Oct 2016 09:01:18 -0500 |
| 13 |
Message-ID: <87k2dfc7dd.fsf@××××××××××.org> |
| 14 |
|
| 15 |
The Guile team has just pushed out a new commit on the Guile stable-2.0 |
| 16 |
branch addressing a security issue for Guile. There will be a release |
| 17 |
shortly as well. The commit is |
| 18 |
08c021916dbd3a235a9f9cc33df4c418c0724e03, or for web viewing purposes: |
| 19 |
|
| 20 |
http://git.savannah.gnu.org/cgit/guile.git/commit/?h=3Dstable-2.0&id=3D08= |
| 21 |
c021916dbd3a235a9f9cc33df4c418c0724e03 |
| 22 |
|
| 23 |
Due to the nature of this bug, Guile applications themselves in general |
| 24 |
aren't vulnerable, but Guile developers are. Arbitrary scheme code may |
| 25 |
be used to attack your system in this scenario. |
| 26 |
|
| 27 |
There is also a lesson here that applies beyond Guile: the presumption |
| 28 |
that "localhost" is only accessible by local users can't be guaranteed |
| 29 |
by modern operating system environments. If you are looking to provide |
| 30 |
local-execution-only, we recommend using unix domain sockets or named |
| 31 |
pipes. Don't rely on localhost plus some port. |
| 32 |
|
| 33 |
To give context, Guile supports a nice live-hacking feature where a user |
| 34 |
can expose a REPL to connect to, through Geiser |
| 35 |
(http://www.nongnu.org/geiser/) or so on. This allows Guile users to |
| 36 |
hack programs even while programs are running. |
| 37 |
|
| 38 |
The default in Guile has been to expose a port over localhost to which |
| 39 |
code may be passed. The assumption for this is that only a local user |
| 40 |
may write to localhost, so it should be safe. Unfortunately, users |
| 41 |
simultaneously developing Guile and operating modern browsers are |
| 42 |
vulnerable to a combination of an html form protocol attack [1] and a |
| 43 |
DNS rebinding attack [2]. How to combine these attacks is published in |
| 44 |
the article "How to steal any developer's local database" [3]. |
| 45 |
=20=20 |
| 46 |
|
| 47 |
In Guile's case, the general idea is that you visit some site which |
| 48 |
presumably loads some javascript code (or tricks the developer into |
| 49 |
pressing a button which performs a POST), and the site operator switches |
| 50 |
the DNS from their own IP to 127.0.0.1. Then a POST is done from the |
| 51 |
website to 127.0.0.1 with the body containing scheme code. This code is |
| 52 |
then executed by the Guile interpreter on the listening port. |
| 53 |
|
| 54 |
The version we are releasing mitigates this problem by detecting |
| 55 |
incoming HTTP connections and closing them before executing any code. |
| 56 |
|
| 57 |
However, there is a better long term solution, which is already |
| 58 |
available even to users of older versions of Guile: Guile supports unix |
| 59 |
domain sockets in POSIX environments. For example, users may run the |
| 60 |
command: |
| 61 |
|
| 62 |
guile --listen=3D/tmp/guile-socket |
| 63 |
|
| 64 |
to open and listen to a socket at `/tmp/guile-socket`. Geiser users may |
| 65 |
then connect using `M-x geiser-connect-local`. This is considerably |
| 66 |
safer. |
| 67 |
|
| 68 |
We hope that other program authors take heed of this lesson as well: |
| 69 |
many programs make use of localhost + port as a way of limiting |
| 70 |
connections. Unfortunately, in today's complex networked environment, |
| 71 |
this isn't a safe assumption. It's very difficult to predict what |
| 72 |
programs may provide a way of chaining requests to an application |
| 73 |
listening on localhost, and certainly difficult on a system where |
| 74 |
web browsers are involved. Take heed! |
| 75 |
|
| 76 |
[1] https://www.jochentopf.com/hfpa/ |
| 77 |
[2] https://en.wikipedia.org/wiki/DNS_rebinding |
| 78 |
[3] http://bouk.co/blog/hacking-developers/ |
Archives