knocking on private back doors with the web browser

4 February 2013 8:47 AM (security | javascript | guile | port scanning)

I woke up at five this morning with two things in my head.

One was, most unfortunately, Rebecca Black's Friday, except with "Monday" -- you know, "Monday, Monday, gettin' up on Monday, hack, hack, hack, hack, which thing should I hack?", et cetera.

The other was a faint echo of Patrick McKenzie's great article on the practical implications of the recent Rails vulnerabilities. In particular, he pointed out that development web servers running only on your local laptop could be accessed by malicious web pages.

Of course this is not new, strictly speaking, but it was surprising to me in a way that it shouldn't have been. For example, Guile has a command-line argument to run a REPL server on a local port. This is fantastic for interactive development and debugging, but it is also a vulnerability if you run a web server on the same machine. A malicious web page could request data from the default Guile listener port, which is a short hop away from rooting your machine.

I made a little test case this morning: a local port scanner. It tries to fetch http://localhost:port/favicon.ico for all ports between 1 and 10000 on your machine. (You can click that link; it doesn't run the scan until you click a button.)

If it finds a favicon, that indicates that there is a running local web application, which may or may not be vulnerable to CSRF attacks or other attacks like the Rails yaml attack.

If the request for a favicon times out, probably that port is vulnerable to some kind of attack, like the old form protocol attack.

If the request fails, the port may be closed, or the process listening at the port may have detected invalid input and closed the connection. We could run a timing loop to determine if a connection was made or not, but for now the port scanner doesn't output any information for this case.

In my case, the page finds that I have a probably vulnerable port 2628, which appears to be dictd.

Anyway, I hope that page is useful to someone. And if you are adding backdoors into your applications for development purposes, be careful!

12 responses

  1. J Altfas says:

    Naturally anyone using the Internet is interested in security, or certainly ought to be.

    So I was inspired to try out the "local port scanner" you described. Sure enough, it printed out a very long list of "potentially vulnerable" ports, which left me curious about what was going on. That is to say, I didn't seem likely that all those ports were actuallly being listened on.

    Investigating further, using netstat (on Linux) showed just a few ports having listeners (beyond the expected IANA services ports), and these didn't correspond to ports in the web-generated list.

    Testing from anothe angle, I hacked up a simple tcl program that attempted connecting to each port < 65536, and if connected, sending an http request and reading the response. Here's a typical result:

    % source port-vul.tcl
    PORT..22 READ => data:

    PORT..25 READ => data:
    554 SMTP synchronization error

    PORT..465 READ => data:
    554 SMTP synchronization error

    PORT..587 READ => data:
    554 SMTP synchronization error

    PORT..631 READ => data:
    HTTP/1.1 200 OK
    Date: Thu, 07 Feb 2013 20:52:48 GMT
    Server: CUPS/1.6
    Connection: Keep-Alive
    Keep-Alive: timeout=30
    Content-Language: en_US
    Content-Type: text/html; charset=utf-8
    Last-Modified: Sun, 12 Aug 2012 21:34:33 GMT
    Content-Length: 3792

    PORT..5432 READ => timed out (9156 reads)
    PORT..16385 READ => data:

    PORT..51324 READ => data:
    GET / HTTP/1.1

    In other words, the resuts were consistent with the operations of the usual daemons, with exceptions of the "mystery" port 16385, whose associated process wasn't identified. However, the port's minimal, two-character response to the http header might suggest vulnerability is not problematic there.

    I admit I may be missing important lessons you were trying to teach, but it is not at all clear what your web-based scan was showing in reference to my running system and potential vulnerabilities. If there's more I should know, I'd appreciate the information.

    BTW, this is the tcl script:

    set h 1

    for {set i 1} {$i $lt; 65536} {incr i} {
    if {![catch {socket localhost $i} r]} {
    chan configure $r -blocking 0
    chan puts $r "GET / HTTP/1.1\n"
    chan flush $r

    set a [after 500 {
    set h 0

    set h 1
    set n 0
    while {$h} {
    if {[catch {read $r 256} err]} {
    } else {
    if {>> [string length $err] 0]} {
    incr n
    after cancel $a
    puts -nonewline [format "PORT..%-10d" $i]
    if {[== $h 0]} {
    puts "READ => timed out ($n reads)"
    } else {
    puts "READ => data:"
    foreach ln [split $err "\n"] {
    puts " $ln"
    chan close $r

  2. J McFarell says:

    I realize this is a late reply. He's getting at this: Running a web server locally that can DO things on the computer means there is a potentially exploitable vulnerability. All a remote website that you visit has to do is send a few requests (e.g. in a hidden iframe) to your running localhost web server, which, for the sake of argument, grants root/Administrator access to the system if a certain sequence of requests are made, tell the localhost web server and the web app behind it to deploy malware (e.g. ransomware), and BOOM, compromised system.

    Then, deploy that to an advertising network and you're golden.

    Which is why everyone should run AdBlock Plus and Ghostery as this person does:

  3. John S. Baker says:

    Internet security and privacy are the two things the clients at care about the most. Our website suggests complete privacy. The names and surnames are not accessible even for the writers. In such a case, both sides are protected.

  4. cheap christian louboutin says:

    It’s pretty good post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed reading your blog posts.

  5. cheap Puma shoes says:

    I read your article to learn a lot and hope to see your next article

  6. YO YO says:
  7. brockso says:

    Hello author! You have written a fabulous post, but users don’t like more link in any content because link disturbs while reading it. Professional author use link on big keyword like Online Professional Research Paper Writing Service Cheap and in author bio, but since they don’t prefer to this kind of content.

  8. ADIL says:
  9. Ricky Lovenuts says: ironsteelcenter.comHarga besi beton Sni Ulir Polos Harga besi beton Sni Ulir PolosHarga besi hollow Harga besi hollowHarga besi cnp Harga besi cnpHarga besi unp Harga besi unpHarga wiremesh Harga wiremeshHarga besi wf Harga besi wfHarga besi h beam Harga besi h beamHarga Plat besi Harga Plat besiHarga pipa besi baja sch 40 sch 80 Harga pipa besi baja sch 40 sch 80Harga besi siku Harga besi sikuHarga Plat kapal besi baja bki krakatau steel Harga Plat kapal besi baja bki krakatau steelHarga bondek Harga bondekHarga baja ringan Harga baja ringanHarga Atap spandek Harga atap spandekHarga stainless steel Harga stainless steeljasa konstruksi jasa konstruksi besi baja jasa konstruksi gudang jasa konstruksi gedung jasa konstruksi undangan pernikahan undangan pernikahan simpleundangan pernikahan online udangan pernikahan pinkundangan pernikahan unik undangan pernikahan onlineundangan pernikahan murah undangan pernikahan islamiundangan pernikahan islami undangan pernikahan murahundangan pernikahan elegan undangan pernikahan artisundangan pernikahan unik dan murah contoh undangan pernikahan www.gudangbesibaja.comHarga besi cnp Harga besi cnpHarga besi h beam baja Harga besi h beam bajaHarga Plat besi plat kapal Harga Plat besi plat kapalHarga besi siku Harga besi sikuHarga besi unp Harga besi unpHarga besi wf baja Harga besi wf bajaHarga besi beton Sni Ulir Polos Harga besi beton Sni Ulir PolosHarga besi hollow Harga besi hollowHarga pipa besi baja sch 40 sch 80 Harga pipa besi baja sch 40 sch 80Harga wiremesh Harga wiremeshHarga bondek Harga bondekHarga besi Wf Baja Harga besi Wf Bajajasa konstruksi baja wf jasa konstruksi jembatan jasa konstruksi bangunan jasa konstruksi undangan pernikahan elegan dan murah undangan pernikahan eleganundangan pernikahan simple undangan pernikahan elegan dan murahundangan pernikahan artis undangan pernikahan putihudangan pernikahan pink undangan pernikahan unik dan murahundangan pernikahan putih undangan pernikahan unikContoh undangan pernikahan undangan pernikahan

    harga besi beton sni toko besi baja harga besi bahan bangunanharga pipa stainless steel pipa galvanis medium a besi bjkujual baja wf tabel baja krakatau steel harga besi ulir 16 mmharga stainless steel harga baja profil per kg harga besi 12 sniharga besi ulir harga besi wire mesh harga besi 8 mmdaftar harga pipa galvanis harga besi hollow stainless harga besi beton 10harga besi wf 200 harga baja hollow harga besi 13 ulirbesi kanal c galvanis steel rangka besi betondaftar harga besi beton harga pipa hollow harga besi kgjual wiremesh besi beam sni besi betonsupplier besi profil baja iwf harga besi behel 8mmbesi baja pipa galvanized harga besi beton 10mm snikonstruksi baja wf jual expanded metal harga besi ulir 10daftar harga besi hollow besi wire mesh harga sikuharga wiremesh profil baja h beam harga besi siku 4x4Supplier besi harga beam 200 besi siku hargaharga besi baja harga besi cnp 100 harga pipa besi hitamharga pipa baja jual besi cnp pipa seamlessbesi beton murah harga besi unp 100 daftar harga pipa stainless steelharga kanal c besi kanal c harga harga pipaharga besi stainless harga besi cnp 125 pipa stainlessharga besi per kg besi u galvanisharga plat stainless steel besi c pipa besi galvanisbesi unp harga besi cnp 150 harga besi hollow untuk pagarjual besi wf kanal c pipa besi hitamharga baja h beam daftar harga besi kanal c harga besi hollow 40x40

  10. Cameron Kent says:

    Today I saw your post you work very well and your article very informative . Keep it up Dissertation help

  11. james clark says:

    Valentine's Day, also called Saint Valentine's Day or the Feast of Saint Valentine, valentines day is an annual holiday celebrated on February 14.happy valentines day wishes It originated as a Western Christian liturgical feast day honoring one or more early saints named Valentinus, and is recognized as a significant cultural and commercial celebration in many regions around the world, although it is not a public holiday in any country. Valentine's Day is celebrated on February 14 Valentine's Day is also a very popular date for weddings..It is a festival of romantic love and many people give cards, letters, flowers or presents to their spouse or partner. They may also arrange a romantic meal in a restaurant or night in a hotel.valentines day sayings Common symbols of Valentine's Day are hearts, red roses and Cupid.The most common Valentine's Day symbols are the heart, particularly in reds and pinks, and pictures or models of Cupid. Cupid is usually portrayed as a small winged figure with a bow and arrow.Many people celebrate their love for their partner by sending cards or letters, giving gifts or flowers and arranging meals in restaurants or romantic nights in hotels. People who would like to have a romantic relationship with somebody may use the occasion to make this known, often anonymously. Valentine's cards are often decorated with images of hearts,valentines day pictures red roses or Cupid. Common Valentine's Day gifts are flowers chocolates, candy, lingerie and champagne or sparkling wine

  12. Editing Dissertation UK says:

    Running a web server locally that can do stuffs on the computer means there is a actually useable susceptibility.

Leave a Reply