Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Mitigate DNS rebinding flaw #5460

Closed
feross opened this issue Jul 30, 2019 · 5 comments · Fixed by brave/brave-core#3046
Closed

[Security] Mitigate DNS rebinding flaw #5460

feross opened this issue Jul 30, 2019 · 5 comments · Fixed by brave/brave-core#3046

Comments

@feross
Copy link

feross commented Jul 30, 2019

Mitigate the WebTorrent DNS rebinding flaw disclosed in HackerOne. Low security/privacy risk.

Original issue: brave/browser-laptop#12616
Original Brave PR: brave/browser-laptop#13844
Original WebTorrent PR: webtorrent/webtorrent#1260
Fixed WebTorrent PR: webtorrent/webtorrent#1678

The fix is already published in webtorrent@0.105.2. We should update to this version.

@feross feross added security feature/webtorrent Label for webtorrent related issues labels Jul 30, 2019
@feross feross self-assigned this Jul 30, 2019
@feross
Copy link
Author

feross commented Jul 30, 2019

Test Plan

  1. Go to https://webtorrent.io/free-torrents
  2. Select Sintel (magnet link)
  3. Start the download
  4. Hover your mouse over the download link (the downward-facing arrow) and observe the link's port number. It should be something like e.g. 58630.
  5. Run the following command in Terminal (tested on Mac): cat <(echo -en 'GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n') - | nc localhost 58630. Note: be sure to replace 58630 in the command with the actual port number you observed in Step 4.
  6. The command should hang without outputting anything to Terminal at all. If you see an HTTP response or HTML, then this is broken. Nothing should be output from the command.

@diracdeltas
Copy link
Member

hackerone issue: https://hackerone.com/reports/663729

@kjozwiak
Copy link
Member

kjozwiak commented Sep 18, 2019

Verification PASSED on macOS 10.14.6 x64 using the following build:

Brave 0.69.126 Chromium: 77.0.3865.65 (Official Build) (64-bit)
Revision 87a331a3169cab563505fb44011058b904011ba1-refs/branch-heads/3865@{#726}
OS macOS Version 10.14.6 (Build 18G95)

Screen Shot 2019-09-18 at 12 52 44 PM

Screen Shot 2019-09-18 at 12 53 31 PM

Verification passed on

Brave 0.69.127 Chromium: 77.0.3865.75 (Official Build) (64-bit)
Revision 201e747d032611c5f2785cae06e894cf85be7f8a-refs/branch-heads/3865@{#776}
OS Ubuntu 18.04 LTS

Verification passed on

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS Windows 10 OS Version 1803 (Build 17134.1006)

@GeetaSarvadnya
Copy link

GeetaSarvadnya commented Sep 24, 2019

@feross @yrliou what is the command for windows? I have used the below command in windows and I have got command not found message.
image

@yrliou
Copy link
Member

yrliou commented Sep 26, 2019

Talked to @GeetaSarvadnya through DM about testing on Windows, note here for future references.
On Windows, we could install nmap from https://nmap.org/ncat/ which includes ncat.
When testing, change to the installation folder, such as c\Program Files (x86)\Nmap, and run
cat <(echo -en 'GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n') - | ./ncat.exe localhost 49976 (Replace port with the result of previous step.)
This command is tested using MINGW64, might need a little tweak if you are using other tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment