On the flip side, if you're doing a security test like this, I've gotten mileage out of convincing apps to access local resources with things like 127.88.23.245, precisely because the developer blocked 127.0.0.1 specifically and thought they were done.
You should also usually block all internal and external IPs for your entire network, but especially in the cloud this can begin to get tricky. Still, you should.
And don't forget IPv6.
iptables with --uid-owner denying traffic to local/private IP space (plus infrastructure-specific stuff like EC2's instance metadata service) would probably be the best option.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Create a chain for outgoing proxy traffic
-N PROXY_OUT
-A OUTPUT -m owner --uid-owner proxy -j PROXY_OUT
# Allow replies to the requestor
-A PROXY_OUT -p tcp --sport 8080 -j ACCEPT
# Prevent proxy from talking to anything non HTTP{,s} (and DNS)
-A PROXY_OUT -p tcp -m multiport ! --dports 80,443,53 -j DROP
# Allow DNS udp
-A PROXY_OUT -p udp --dport 53 -j ACCEPT
# Allow the proxy to specific private ips (demos servers)
-A PROXY_OUT -d xxx.xxx.xxx.xxx/32 -j ACCEPT
# Prevent proxy from talking to anything private
-A PROXY_OUT ! -o <%= @public_iface %> -j DROP
-A PROXY_OUT -d 10.0.0.0/8 -j DROP
-A PROXY_OUT -d 172.16.0.0/12 -j DROP
-A PROXY_OUT -d 192.168.0.0/16 -j DROP
# Prevent proxy from talking to services via public ips
<% @aws_public_ips.each do |name, facts| %>
# <%= name %>
-A PROXY_OUT -d <%= facts['ec2_public_ipv4'] %>/32 -j DROP
<% end %>
iptables -A OUTPUT -m owner --uid-owner mike -d 127.0.0.0/8 -j REJECT
ip6tables -A OUTPUT -m owner --uid-owner mike -d ::1 -j REJECT
$ ping 2130706433
PING 2130706433 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.043 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.106 ms
^C
They should have run the proxy on a host that they didn't give any special IP-based privileges to. The other nodes shouldn't honor X-Forwarded-For headers from the IP hosting the proxy.
And the IPv6 equivalent is "::1". Did they even set up basic packet filtering or ACLs for IPv6 requests? If they have no public IPv6 address, they probably never did.
People's results here might vary depending on their operating system. For me, these pings were returned on a vagrant box running ubuntu, but dropped (not blocked) on the host system.
How much did Telefonica pay you for the Hello integration?
But sure, our surfing history will be secure ...
https://blog.mozilla.org/advancingcontent/2015/05/21/providi...
Did you guys acutally read your PR-bullshit here?
But soon a new small, fast, free, secure open-source browser will arrive and Mozilla will be history. But your pocket full. Well done.
Pocket began life as a Firefox add-on, and is now integrated into literally hundreds of applications. Embracing that is a reasonable choice in terms of sustainability and value for users.
For what it's worth, I do not believe any money changed hands in the Pocket deal, but I don't know that authoritatively.
And that's what it should have remained! Promote it all you like on your websites, but please let it, and all featurees like it, be separate from the main web browsing functionality, because far from every one of your users wants or needs this!
I, and I'm sure many other Firefox users are deeply disappointed by the Mozilla track record of including questionable features such as this. That's why, I have already started [1] figuring out how to switch to ESR channel by default on all systems that I have control over: I want the security updates, but I don't have the time and effort necessary to browse through all the crap features Mozilla introduces and figure out how to tweak and/or disable them on a six-week basis.
I believe the root of this change-in-mission is well expressed in a post by David Rajchenbach-Teller [1]:
While I personally want a browser that is fast, small, reliable
and trustworthy, we have market research that shows us that you
and I are a minority. More precisely, we have market numbers
that shows that users want a Pocket-like feature and are not
going to bother checking if there are add-ons that implement
it.
[1] https://groups.google.com/d/msg/mozilla.governance/2PYq2w8te...
And as a long-time user of Firefox, this is what got me to stop using Firefox.
There's been tons of people asking for the removal of Pocket from Firefox including hundreds of posts in the Mozilla governance forum asking for its removal but Mozilla sits there doing nothing claiming "sane privacy" and "oh you can disable it by going to your about:config and finding this key and setting it to false". Package it as an uninstallable extension or get rid of it completely.
Complexity intimidates and scares off users and makes software harder to use. All firefox' competitors are extremely streamlined and simple, and that works. Firefox got popular intially because it was simple. Chrome became popular fast because it was faster and more streamlined than firefox. And by integrating all these extra services, firefox makes itself less streamlined and less useable.
I stick with firefox because chrome has some dubious privacy defaults, but that's really the only advantage firefox has over its competitors from my perspective.
No money changed hands. Mozilla integrated Pocket because they wanted such a feature in their browser (apparently, so did users), and Pocket already existed (better than reimplementing it from scratch)
Mozilla almost certainly isn't getting any money out of the Pocket integration deal. Mozilla has far more money than Pocket does.
Really? How exactly? Who will fund its development?
Can't say anything about PaleMoons security but I like the old design better, the team seems more responsive and they haven't yet (had the chance to) give in to hypocrites and fire "Brendan Eich".
"Pocket does not provide monetary compensation for any identified or possible vulnerability."
Cheapskates. This could have cost them money if somebody abusive had discovered it first. He deserves a monetary award.
[edit] Should we be concerned about the massive number of people listed on that page who have found security problems with Pocket? I counted 153 separate people...
This isn't some free service being run out of the goodness of somebodys heart. This is a company, that wants to make money. If a company has that many employees, they can afford a bug bounty program too.
You shouldn't do work based on "they haven't had a bug bounty before now but maybe they will make one just for me."
Heaven forbid, people submit security issues because they want to be helpful or care about the project.
Had I been OP I would have sold the exploits with no remorse, we don't need companies like that on the market, rewarding corporations for bad behaviour with free labour is fucked up on every level.
Some ideas:
- Move the service doing the fetching to an untrusted network. At least it would be unable to access any internal services and any compromises there would be hopefully limited. You still have the problem that the local machines there could potentially be compromised.
- Validate / verify the URL to ensure it's not hitting anything internal. This sounds hard. Pre-resolve the name and check to see if the IP is in an internal range? Seems easy to get our of date as your network changes. Make sure to repeat for any redirects? Is there a better way to validate?
- Ensure that all internal services require authentication. This also sounds hard and easy to miss something.
It actually isn't very difficult, but the repercussions of getting it wrong are scary.
- How do you extract the hostname from the URL? If the algorithm isn't the same as the one used by your network lib, it might be possible to trick your check into checking the wrong hostname.
- You'd have to check for redirects.
- If you pre-resolve DNS hostnames for your check, and then let your network lib open another socket to the host, it might resolve to another (internal) IP, because the attacker might control the DNS zone of that host, returning 127.0.0.1 on every other request. You'd have to make sure to open a socket to the IP returned during the check.
The safer option would be to work with iptables: https://news.ycombinator.com/item?id=10079554
I think the best way here is to put the "fetch random URLs" service out in its own subnet, where it cannot access any other internal services like the EC2 status service. You'll also have to validate the URLs (no non-HTTP-or-HTTPS URLs) and prevent things like the redirect attack from working.
It's certainly not right, and indicative of the need for either a system administrator with an eye for deployment best practices, or an explicit security position who sets up audits to look for these kinds of flaws.
Many companies call this position "DevOps Manager" or something similar. They usually own their servers, manage builds and deploys, maintain the repos, and communicate to management and developers.
Only one class of deploy problems: you're not at all familiar with Linux or other Unix clones.
[1] http://forums.somethingawful.com/showthread.php?noseen=0&thr...
I guess the DevOps trend (i.e. not hiring sysadmins) should take it's share of blame. Or maybe it's the other way around - you don't care for security, so there is no point in hiring security experts?
If team principals are mostly young and don't have exposure to very specific kind of experiences dealing with threat modelling, then the security work will always take a backseat to feature-building. It's how humans work - it's hard to cut time from nice visible things and dedicate it to a hypothetical (at that point) abstract goal like security. Everyone agrees that the latter is important, but it just never ends up getting any oxygen. What's worse, if the team does not know what tightening systems feels like, they don't even know where to start. No "muscle memory" for it.
Maybe at some point we'll get more baseline collective wisdom about it throughout the industry, but it will also take the people signing the cheques (CEO, investors) having a bit more (justified) paranoia and respect for these priorities, and consequently requiring them from the outset. And DevOps has little to do with it - security has to be established as a priority from the leadership levels on down anyway because it necessarily means reducing time spent on more immediately-visible things.
We are not talking about some complex interactions between multiple components which lead to a security vulnerability. This is some trivial stuff like "don't give your passwords to anybody" or "don't run everything as root".
The most complex vulnerability mentioned in the article is with proxying. If you have opened /etc/squid/squid.conf at least once you should have noticed the to_localhost ACL and the comments which explain why it is important. So is the Pocket team building a multi-million user service which has a proxying component without trying to configure squid once? Absolutely!
Also I consider too optimistic hoping for the situation to improve - it's moving in the opposite direction for now with steady speed.
In theory it is. In practise it sometimes seems to be seized on by people who are sick of listening to those fuddy-duddy infrastructure types bang on about security and firewalls and ug, so boring bro. Crush code!
At the very least, run it on localhost:10101 or something. Don't give us another range to have to filter!
localhost:SOMETHING will also not work for same reason - they would need to run a service inside your instance.
There is one more popular solution to the metadata problem - providing it as an emulated cdrom, which would be also vulnerable in this case. And it can't be dynamic.
Their current metadata approach works across OSes.
And, yes, the data are dynamic. Things like AWS access keys change over time and can be accessible via the metadata if you've given the instances IAM profiles. I'm surprised the author didn't mention this.
I agree that the approach feels uncomfortable in general but it seems like the best approach for the functionality they wanted.
Admittedly, I suppose it would be nice if Firefox actually packaged Pocket as a real extension that could be removed from the Extensions menu, but they have already integrated several things without using that schema.
I still use firefox, just with more and more things disabled, because none of the other browsers out there even come close to having what I need in a GUI browser (though, I would note that I'm evermore tempted to abandon GUI browsing altogether).
Either way, the write-up is great, and everything in the article other than that one characterization (which rubbed me a bit the wrong way in the wake of all the fevered discussions around the Pocket Integration) was a truly enjoyable read. Not to mention, it's great that the Pocket devs fixed things quickly; that's always a plus!
>it would be nice if Firefox actually packaged Pocket as a real extension that could be removed from the Extensions menu
These two statements you made seem to corroborate his characterization of it being "opt-out" (meaning on by default, but capable of being disabled) and "non-removable" (baked into firefox as opposed to an extension). Not sure what you find wrong with his characterization.
Perhaps I just read something into the Author's tone (probably due to all the vitriole from the typical discourse around the integration) that wasn't really there. If that's the case, and all the author meant by that statement was that the code itself could not be completely erased from Firefox as-packaged, then that seems to be factually true, and I simply read it incorrectly.
It's usually the public SSH key which is stored in instance metadata. IAM roles/STS is much more scarier in this case.
This is not a fair assumption to make. Maybe they are running a LSM like AppArmor.
I'm not trying to single out Pocket; they are just the latest evidence that even in the few cases where "you can trust us with your data" is said honestly, it isn't a promise that can be kept in practice.
These keys are rotated relatively frequently, but it opens up a whole new level of exploits against the company which runs those AWS servers.
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-sm...
Its thrilling and terrifying :)