IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Fri, 08 October 2010 23:03 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13BDD3A6995 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EI0puoyF8ldb for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:03:09 -0700 (PDT)
Received: from mail-gw0-f66.google.com (mail-gw0-f66.google.com [74.125.83.66]) by core3.amsl.com (Postfix) with ESMTP id B7BD43A6974 for <hybi@ietf.org>; Fri, 8 Oct 2010 16:03:09 -0700 (PDT)
Received: by gwb11 with SMTP id 11so460764gwb.1 for <hybi@ietf.org>; Fri, 08 Oct 2010 16:04:15 -0700 (PDT)
Received: by 10.150.230.10 with SMTP id c10mr3945180ybh.3.1286579054644; Fri, 08 Oct 2010 16:04:14 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id v38sm434734yba.23.2010.10.08.16.04.13 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Oct 2010 16:04:13 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1686138iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 16:04:12 -0700 (PDT)
Received: by 10.42.15.67 with SMTP id k3mr363331ica.490.1286579052360; Fri, 08 Oct 2010 16:04:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 8 Oct 2010 16:03:42 -0700 (PDT)
In-Reply-To: <4CAFA043.10101@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 08 Oct 2010 16:03:42 -0700
Message-ID: <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2010 23:03:11 -0000

On Fri, Oct 8, 2010 at 3:50 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>> On Fri, Oct 8, 2010 at 3:04 PM, Scott Ferguson <ferg@caucho.com> wrote:
>>> Scott Ferguson wrote:
>>>> Adam Barth wrote:
>>>>> Consider, for example, a virtual hosting environment in which the
>>>>> attacker can place PHP scripts on the server....  Now, the attacker can
>>>>> complete the WebSocket handshake
>>>>> because the PHP script can compute the HMAC and send the appropriate
>>>>> response header.
>>>>
>>>> Proposed attack: Attack server S with the help of DNS (or hosted HTTP
>>>> server.)
>>>>
>>>> You need to demonstrate a sequence of connections to make that attack
>>>> work
>>>> (without using a WebServer proxy or time travel). For discussion, I've
>>>> granted you syntax, but you must still demonstrate your sequence of
>>>> connections and propagation of the c-nonce and H to complete the attack.
>>>
>>> You still need to demonstrate a sequence of connections to make this
>>> attack
>>> work because your attack appears impossible to complete using TCP as
>>> currently described.
>>>
>>> At very minimum, you need to describe how the WebSocket connection from
>>> the
>>> hijacked browser connects to both the HTTP (or DNS) server that computes
>>> the
>>> hash, and to the target server S to complete the attack.
>>
>> The DNS server is the target server.
>
> Then please retract your more general claimed attack against server S using
> DNS/HTTP.
>
> Let me repeat the important claim from your proposal (also quoted above):

Oh, I thought we were still talking about the earlier example that
involved a DNS server.

>> "Consider, for example, a virtual hosting environment in which the
>> attacker can place PHP scripts on the server....  Now, the attacker can
>> complete the WebSocket handshake because the PHP script can compute the HMAC
>> and send the appropriate response header."
>
> Is the PHP server owned by the attacker also the target server S? If so, you
> need to make that restricted claim clear, because you've given the
> impression that the target server S is not owned by the attacker.

This is a virtual hosting environment.  That's what I meant when I
said "consider, for example, a virtual hosting environment in which
the attacker can place PHP scripts on the server."  The attacker has
access to one virtual host on the server but does not own the entire
server.

Concretely, consider http://www.adambarth.com/.  My web site is a
virtual host on a physical server in a 1and1 datacenter.  I'm
perfectly capable of placing a PHP script on my virtual host.  If the
PHP script is able to complete the web socket handshake, then I can
open a WebSocket connection to www.adambarth.com on port 80 from the
user's browser.  Once the WebSocket handshake completes, I can now
talk directly to the 1and1 server over more-or-less a raw socket,
which means I can spoof further HTTP requests and potentially attack
other virtual hosts that happen to be on the same physical machine,
which is bad news bears.

Adam

v2.23.0 | Report a Bug | By Email