I don’t think that just blocking HTTP verbs is good enough. Let’s consider some more examples.
Example 1: Alice spends lots of time on IRC. She’s also interested in embedded systems, so she runs OpenOCD. Bob has a file to send her, so they start an IRC CTCP session. Bob configures his IRC client to claim his IP address is 127.0.0.1 and the CTCP listener is on port 4444. Alice’s IRC client sends some crud to her OpenOCD, which might include text that Bob can partially control. Example 2: Alice runs an FTP server. Bob connects to it and uploads a file containing some OpenOCD script. He then issues an FTP GET command, in active mode, specifying the data channel to be at 127.0.0.1:4444. Alice’s FTP server connects to her OpenOCD’s Telnet port and dumps Bob’s uploaded file straight into it. Example 3: Alice does a lot of online gaming. Bob sends an invitation to a new server he found. The invitation contains a hostname, port number, and invitation key used to authenticate to the server. The game shows a popup with invitation details: host example.com, port 4444. The invitation key isn’t shown, because it’s supposed to be just some random bytes. Unknown to Alice, Bob went to Godaddy yesterday and registered example.com, and its DNS server now resolves example.com to 127.0.0.1. Also unknown to Alice, the invitation key isn’t as random as it ought to be: it’s actually some OpenOCD commands Example 4: Alice is using her Web browser. She clicks on a link, an act that should be harmless. It points at ftp://some-openocd-script:some-password@localhost:4444/some/filename. Or a similar Gopher URL. Or a Websockets URL. Or any number of other protocols that Web browsers also understand. Example 5: Alice and Bob live together. To save space or money, they share a single desktop for serious computing work. They practice good computing hygiene: their home directories are mode 0700, they have good passwords, they always log out when done, and they keep their machine up to date with security patches. They sometimes need access to their personal files while they’re out, so they set up SSH access from their phones. Alice, sitting at the desktop, runs OpenOCD. Bob, sitting at the coffee shop, runs ssh -L4444:localhost:4444 homebox. I’m not claiming to have tested all of the above. I’m not claiming that all of the above are actually workable attacks. Rather, they’re a few examples I wrote up while waiting for a bus. If I can think of these, no doubt a dedicated attacker can think of many more, and some of them will work even if not all of them do. In my opinion, blindly trusting localhost is the fundamental problem here: none of the above attacks would work if you had to, say, type a password before OpenOCD would accept your Telnet (or GDB, or TCL, or …) session. -- Christopher Head -- Christopher Head
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenOCD-devel mailing list OpenOCD-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openocd-devel
