Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OL-Server vulnerable to DNS Rebinding attacks. #92

Open
pwn1sher opened this issue Dec 16, 2019 · 4 comments
Open

OL-Server vulnerable to DNS Rebinding attacks. #92

pwn1sher opened this issue Dec 16, 2019 · 4 comments
Labels
enhancement help wanted

Comments

@pwn1sher
Copy link

pwn1sher commented Dec 16, 2019
edited

The Rest API spawned on port 5000 isn't validating the Host header , as such the server is vulnerable to DNS Rebinding attacks.

Impact :
By tricking users into visiting a website, it will be possible to perform all Rest Calls on behalf of user from the attackers website, bypassing the same origin policy using DNS rebind. Few actions that the attacker can perform are invoking/running functions, read stats etc. There is also a /debug API but currently not configured, attacker can also invoke debug and do stuff based on implementation of the debug functionality.
@tylerharter
Copy link
Member

I'm assuming this is just an issue if the worker isn't behind a load balancer? Directly exposing the worker might also be a use case (though I guess less common) -- feel free to implement the cross-origin check in a PR if you think it is important and you would like to do that (otherwise I can leave this open and eventually do it too).

@pwn1sher
Copy link
Author

Ideally something like this would be a fast patch, before going to proper regex checks or implementing auth.

if r.Host == "localhost:5000" || r.Host == "127.0.0.1:5000"

Its upto you if you want to implement this on other API's like pid, status, stats etc. But its definitely suggested to implement this on RunLambda as this handling the invoking of functions. Currently its possible for attacker to run functions on victim's OL setup without his knowledge.

@NicoleG25
Copy link

Is there any plan to address this vulnerability?
Note that it appears that CVE-2019-20329 was assigned to this issue.

@tylerharter
Copy link
Member

I'm happy to review a PR if somebody wants to implement it --otherwise I'll probably give this more careful consideration next summer when I have more cycles to work on OL.

I think of OL is analogous to AWS Lambda, which to the best of my knowledge doesn't directly implement what is being suggested. Any cross-site checks would be implemented by API Gateway, right? This should also be configured on a per-API basis (different tenants may have different preferences about what cross-site requests are allowed).

Currently, if somebody wanted to use OL for something in production, I think they would first need to implement something analogous to API Gateway as a layer in front of OL. I'm not opposed to rolling some API Gateway-like features into OL directly, to simplify this and get OL closer to being production-ready. I just haven't had time to pursue that yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tylerharter @kaimast @pwn1sher @NicoleG25