Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Mitigate DNS rebinding flaw #5460

Closed
feross opened this issue Jul 30, 2019 · 5 comments · Fixed by brave/brave-core#3046
Closed

[Security] Mitigate DNS rebinding flaw #5460

feross opened this issue Jul 30, 2019 · 5 comments · Fixed by brave/brave-core#3046
Assignees
@feross @yrliou
Labels
feature/webtorrent Label for webtorrent related issues QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude security
Milestone
0.69.x - Release

Comments

@feross
Copy link

feross commented Jul 30, 2019
edited
Loading

Mitigate the WebTorrent DNS rebinding flaw disclosed in HackerOne. Low security/privacy risk.

Original issue: brave/browser-laptop#12616
Original Brave PR: brave/browser-laptop#13844
Original WebTorrent PR: webtorrent/webtorrent#1260
Fixed WebTorrent PR: webtorrent/webtorrent#1678

The fix is already published in [email protected]. We should update to this version.
@feross feross added security feature/webtorrent Label for webtorrent related issues labels Jul 30, 2019
@feross feross self-assigned this Jul 30, 2019
@feross
Copy link
Author

feross commented Jul 30, 2019
edited
Loading

Test Plan

  1. Go to https://webtorrent.io/free-torrents
  2. Select Sintel (magnet link)
  3. Start the download
  4. Hover your mouse over the download link (the downward-facing arrow) and observe the link's port number. It should be something like e.g. 58630.
  5. Run the following command in Terminal (tested on Mac): cat <(echo -en 'GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n') - | nc localhost 58630. Note: be sure to replace 58630 in the command with the actual port number you observed in Step 4.
  6. The command should hang without outputting anything to Terminal at all. If you see an HTTP response or HTML, then this is broken. Nothing should be output from the command.

@diracdeltas
Copy link
Member

hackerone issue: https://hackerone.com/reports/663729

@feross feross added this to the 0.70.x - Nightly milestone Jul 30, 2019
@feross feross mentioned this issue Jul 31, 2019
Merged
32 tasks
This was referenced Aug 8, 2019
Merged
Merged
@yrliou yrliou modified the milestones: 0.70.x - Nightly, 0.68.x - Beta Aug 8, 2019
@kjozwiak
Copy link
Member

kjozwiak commented Sep 18, 2019
edited by GeetaSarvadnya
Loading

Verification PASSED on macOS 10.14.6 x64 using the following build:

Brave 0.69.126 Chromium: 77.0.3865.65 (Official Build) (64-bit)
Revision 87a331a3169cab563505fb44011058b904011ba1-refs/branch-heads/3865@{#726}
OS macOS Version 10.14.6 (Build 18G95)

Screen Shot 2019-09-18 at 12 52 44 PM

Screen Shot 2019-09-18 at 12 53 31 PM

Verification passed on

Brave 0.69.127 Chromium: 77.0.3865.75 (Official Build) (64-bit)
Revision 201e747d032611c5f2785cae06e894cf85be7f8a-refs/branch-heads/3865@{#776}
OS Ubuntu 18.04 LTS

Verification passed on

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS Windows 10 OS Version 1803 (Build 17134.1006)

@kjozwiak kjozwiak mentioned this issue Sep 23, 2019
Closed
@GeetaSarvadnya
Copy link

GeetaSarvadnya commented Sep 24, 2019
edited
Loading

@feross @yrliou what is the command for windows? I have used the below command in windows and I have got command not found message.
image

@yrliou
Copy link
Member

yrliou commented Sep 26, 2019
edited
Loading

Talked to @GeetaSarvadnya through DM about testing on Windows, note here for future references.
On Windows, we could install nmap from https://nmap.org/ncat/ which includes ncat.
When testing, change to the installation folder, such as c\Program Files (x86)\Nmap, and run
cat <(echo -en 'GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n') - | ./ncat.exe localhost 49976 (Replace port with the result of previous step.)
This command is tested using MINGW64, might need a little tweak if you are using other tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@feross feross

@yrliou yrliou

Labels
feature/webtorrent Label for webtorrent related issues QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/exclude security
Projects
None yet
Milestone
0.69.x - Release
Development

Successfully merging a pull request may close this issue.

[Security] Mitigate DNS rebinding flaw brave/brave-core
7 participants
@feross @diracdeltas @kjozwiak @yrliou @LaurenWags @btlechowski @GeetaSarvadnya