[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Max Jakob Maass max at velcommuta.de
Tue Jan 21 09:28:29 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Christ. Chrome even allows to connect to other machines in LAN. I
successfully connected to my Raspberry Pi (only reachable via LAN) by
changing the IP in the source code from 127.0.0.1 to the relevant IP.

So, appearently, Chrome allows you to enumerate the LAN and interact
with other machines in it. I'll see if there is a bug report for that
already.

Thanks for the Info, TT Security.

On 21.01.2014 10:18, Max Jakob Maass wrote:
> I see the same behaviour with the latest Chrome running Linux:
> 
> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 Connection:
> keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77
> Safari/537.36 Origin: http://tortestprivacy.url.ph Accept: */* DNT:
> 1 Referer: http://tortestprivacy.url.ph/ Accept-Encoding:
> gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,de;q=0.6
> 
> So, appearently, Google does not enforce a same origin policy on
> this, either.
> 
> On 21.01.2014 10:01, Olivier Cornu wrote:
>> Le 21/01/2014 05:06, TT Security a écrit :
>>> 
>>>> I don't think browsers in general allow connections on 
>>>> loopback interfaces, unless explicitly requested by users.
>>> 
>>> I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there.
>>> Just open some port on your computer(only for testing) for
>>> example local web-server and try with Firefox from Tor Browser
>>> Bundle this page: http://tortestprivacy.url.ph/ You will see
>>> :)
> 
>> Fwiw, I can confirm this unfortunate behavior. :( TBB connecting
>> to loopback netcat socket from tortestprivacy.url.ph javascript:
> 
>> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 User-Agent: 
>> Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 
>> Firefox/26.0 Accept: 
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 
>> Accept-Encoding: gzip, deflate DNT: 1 Referer: 
>> http://tortestprivacy.url.ph/ Origin:
>> http://tortestprivacy.url.ph Connection: keep-alive
> 
>> -- Olivier Cornu
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3j29XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeiK4P/2JXkXYIxw0aCu1OLTzmrhoo
IbiEV9QUX3wvJgPurvBAkkFQ1KMpaEzdf+b8rpNQFGdQi6tzLudwmujNHC+9iHSj
04RAAzFXjAvVgvJb6iuho3deuAX3GBCbLCn0eYknIFGhOoINWqLrbaTMPmyL1xS8
wT6pejndKwpNpONAt2zcxLa+Xb4VMLL58DZywLAFjMqcf12oaNzCPYkPxli0oPcN
ge8Liv5150S0uEY0GUXaGsTlrtmaLSHaxlCjFD6x7qvI+Yhx5wiFmwBpBpcxS3zX
ij/qoisuNjNtagro78yq3Y+F+v+LGhk4udNFMZPco7STHTKhn8tAkio/SLzbj9ee
7DfpIAJM6FhpZ9f1iIw8Cr1nb8Nnna81jyAGdtt5gE3sVla3WmdiTTsUutp7UITS
osYacb16JaMcBCFeTW9tCjRAwFbntkqEvJubE8xbWWq+Pl9HI1dHt1fYX2hqth1R
5jAnO7pgqegqOAhWvz1QjJT83J/OaeeHB1GMEbiFxOx4ajHSkvQp7Kawnt9XwHou
4wQQw711vLtBY5RzTpsGNUMilIHBdZxMGy3prKBxgZmWD279DW98CFlw3BgYzv/q
4TuORyc86dqHDSAUFY5/2tmr70ibQ3gsOVKUfKTdtqL6zAv/FhurTmnTffPD1tER
c5LrU/4HESK4zO0cnNGB
=Az85
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list