1 |
Hi, |
2 |
|
3 |
if this hasn't already caught your interest here's a forward from |
4 |
guile-dev, should be of interest of the people maintaining guile on |
5 |
Gentoo. Below follows the message: |
6 |
|
7 |
|
8 |
From: Christopher Allan Webber <cwebber@××××××××××.org> |
9 |
To: guile-devel@×××.org, guile-user@×××.org |
10 |
Subject: Guile security vulnerability w/ listening on localhost + port (with |
11 |
fix) |
12 |
Date: Tue, 11 Oct 2016 09:01:18 -0500 |
13 |
Message-ID: <87k2dfc7dd.fsf@××××××××××.org> |
14 |
|
15 |
The Guile team has just pushed out a new commit on the Guile stable-2.0 |
16 |
branch addressing a security issue for Guile. There will be a release |
17 |
shortly as well. The commit is |
18 |
08c021916dbd3a235a9f9cc33df4c418c0724e03, or for web viewing purposes: |
19 |
|
20 |
http://git.savannah.gnu.org/cgit/guile.git/commit/?h=3Dstable-2.0&id=3D08= |
21 |
c021916dbd3a235a9f9cc33df4c418c0724e03 |
22 |
|
23 |
Due to the nature of this bug, Guile applications themselves in general |
24 |
aren't vulnerable, but Guile developers are. Arbitrary scheme code may |
25 |
be used to attack your system in this scenario. |
26 |
|
27 |
There is also a lesson here that applies beyond Guile: the presumption |
28 |
that "localhost" is only accessible by local users can't be guaranteed |
29 |
by modern operating system environments. If you are looking to provide |
30 |
local-execution-only, we recommend using unix domain sockets or named |
31 |
pipes. Don't rely on localhost plus some port. |
32 |
|
33 |
To give context, Guile supports a nice live-hacking feature where a user |
34 |
can expose a REPL to connect to, through Geiser |
35 |
(http://www.nongnu.org/geiser/) or so on. This allows Guile users to |
36 |
hack programs even while programs are running. |
37 |
|
38 |
The default in Guile has been to expose a port over localhost to which |
39 |
code may be passed. The assumption for this is that only a local user |
40 |
may write to localhost, so it should be safe. Unfortunately, users |
41 |
simultaneously developing Guile and operating modern browsers are |
42 |
vulnerable to a combination of an html form protocol attack [1] and a |
43 |
DNS rebinding attack [2]. How to combine these attacks is published in |
44 |
the article "How to steal any developer's local database" [3]. |
45 |
=20=20 |
46 |
|
47 |
In Guile's case, the general idea is that you visit some site which |
48 |
presumably loads some javascript code (or tricks the developer into |
49 |
pressing a button which performs a POST), and the site operator switches |
50 |
the DNS from their own IP to 127.0.0.1. Then a POST is done from the |
51 |
website to 127.0.0.1 with the body containing scheme code. This code is |
52 |
then executed by the Guile interpreter on the listening port. |
53 |
|
54 |
The version we are releasing mitigates this problem by detecting |
55 |
incoming HTTP connections and closing them before executing any code. |
56 |
|
57 |
However, there is a better long term solution, which is already |
58 |
available even to users of older versions of Guile: Guile supports unix |
59 |
domain sockets in POSIX environments. For example, users may run the |
60 |
command: |
61 |
|
62 |
guile --listen=3D/tmp/guile-socket |
63 |
|
64 |
to open and listen to a socket at `/tmp/guile-socket`. Geiser users may |
65 |
then connect using `M-x geiser-connect-local`. This is considerably |
66 |
safer. |
67 |
|
68 |
We hope that other program authors take heed of this lesson as well: |
69 |
many programs make use of localhost + port as a way of limiting |
70 |
connections. Unfortunately, in today's complex networked environment, |
71 |
this isn't a safe assumption. It's very difficult to predict what |
72 |
programs may provide a way of chaining requests to an application |
73 |
listening on localhost, and certainly difficult on a system where |
74 |
web browsers are involved. Take heed! |
75 |
|
76 |
[1] https://www.jochentopf.com/hfpa/ |
77 |
[2] https://en.wikipedia.org/wiki/DNS_rebinding |
78 |
[3] http://bouk.co/blog/hacking-developers/ |