Hi everyone, I noticed somewhat concerning behavior in the OpenOCD telnet interface. Invalid commands are just dropped, which means that the interface is vulnerable to cross protocol scripting.
Related reading: https://bouk.co/blog/hacking-developers/ (we don't need the DNS rebinding part) Combined with the exec command, a malicious website could execute arbitrary commands on the host running OpenOCD using something like: var x = new XMLHttpRequest(); x.open("POST", "http://127.0.0.1:4444";, true); x.send("exec xcalc\r\n"); (full xcalc-popping demo on https://m.atx.name/openocd.html , but don't trust my website not to install malware on your computer of course) Observation: The PoC might take multiple attempts to get working. It seems that we are racing with the browser killing the connection after figuring out that it won't receive a valid HTTP response. Suggested fix: https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758 Josef Gajdusek <a...@atx.name> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenOCD-devel mailing list OpenOCD-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openocd-devel
