
Guile security vulnerability with listening on localhost and port - cheiVia0
https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html
======
imagist
Is this an issue with Guile, or is this an issue with browsers? It seems like
allowing sites to query localhost is a vulnerability that could affect a wide
variety of development tools. Maybe I'm not thinking of some use case, but it
seems to me that we would only ever want requests to localhost to come from
local sources, no?

~~~
pilif
Dropbox and Github both use it to talk to their installed desktop clients from
the website. It's very useful as it by just installing an app, a website can
get more access to the local machine's hardware without having to resort to
browser-specific plugins.

In our case, we're using it to read data from a barcode scanner to use it on a
web application. All a user needs to do is to install the application an once
that's done it works in all browsers.

~~~
flukus
Can any websites talk to these apps? I've built a similar one (a decade ago
now), but we at least had the benefit of only running on a closed network.

~~~
pilif
Potentially, yes. In our case we're doing a bit of additional work to prevent
this from happening though. Other sites would get access to the built-in web
server, but they wouldn't get anything apart from a 403 error.

------
flukus
The same issue was discussed on here recently:

[http://bouk.co/blog/hacking-developers/](http://bouk.co/blog/hacking-
developers/)

I think we're only scratching the surface on the number of vulnerabilities
exposed.

~~~
l_zzie
I don't think this is the same vulnerability. You don't even need to rebind
DNS to do it, I believe: just make an XmlHTTPRequest. Your GET is considered
code. The browser will get back a request that doesn't have a cors header and
so not let you read it, but your code still executes. So there's no reason to
be on the same origin, so DNS rebinding is unnecessary

------
qwertyuiop924
This is actually a vulnerability in any language that provides a networked
REPL.

I'm glad that Guile kept the option to run a REPL via a port, because that's
really useful for debugging nonlocal servers (investigating production issues,
etc.).

~~~
paroneayea
It does look like there's a way to "forward" a unix domain socket over ssh
enough to do that kind of debugging:

[https://debian-administration.org/users/dkg/weblog/68](https://debian-
administration.org/users/dkg/weblog/68)

~~~
qwertyuiop924
That's certainly a potential solution.

------
Tepix
The browsers should consider detecting when an adress in DNS changes from non-
local to localhost and blocking requests when this occurs.

~~~
antocv
Not the browsers, the dns library. Protect any application.

------
tedunangst
> the presumption that "localhost" is only accessible by local users

Why is there even a presumption that all local users are equally trusted?

~~~
flukus
Someone logged in to the machine likely has enough access to make this attack
irrelevant.

~~~
Arnt
Even HN has enough access to your machine. Your browser is showing you this
page, the page may contain javascript (probably does, feh), and the javascript
can retrieve
[http://localhost:43278/this/that](http://localhost:43278/this/that).

~~~
tmsbrg
That doesn't even require JavaScript, does it? Just `<img
src="[http://localhost..."/>`](http://localhost..."/>`).

~~~
Arnt
I suppose you're right.

Although for the good stuff you want POST. With POST and an error-tolerant
SMTP server you can send mail, I imagine other kinds of servers might be
equally accommodating.

------
0x0
Sounds very similar to the emergency patch issued for Android Studio and
IntelliJ IDEA back in May,
[https://blog.jetbrains.com/blog/2016/05/11/security-
update-f...](https://blog.jetbrains.com/blog/2016/05/11/security-update-for-
intellij-based-ides-v2016-1-and-older-versions/)

------
fulafel
Clojure should pick up on this too.

~~~
aardvark179
There is
[https://github.com/monsanto/nreplds](https://github.com/monsanto/nreplds) but
it requires some native code, and obviously isn't a solution for those on
Windows. I'm not sure how vulnerable nRepl is to http attacks as I don't think
either of its default transports would accept or filter out http commands.

~~~
fulafel
I'm not so sure, certainly one of the two socket protocols is vulnerable (the
"tty" one) judging by what the regular repl does with '' GET
/%20(println"hello") HTTP/1.0 '' and it's somewhat likely that you could get
through the bencode transport too.

