![]() Lastly, even though Jetbrains doesn’t have a bug bounty program that I’m aware of, and I definitely wasn’t expecting anything, Jetbrains quite generously awarded a bounty of $50,000 for my report and help reviewing the patch. They sent me a patchset against intellij-community and a binary build with their proposed solutions, and were receptive to my feedback when I mentioned potential issues. My email requesting a security contact was answered within an hour of my sending it, and the issue was resolved relatively quickly. ![]() I’d like to specifically thank Hadi Hariri and the rest of the JetBrains team for their proactive response to my report. Vendor response Interactions with the vendor The Host header’s value is now validated to prevent similar exploits via DNS rebinding.The problematic CORS policies were removed entirely.All requests to the local HTTP server now require an unguessable auth token to be included in the request, or the server will return a 4xx status code.JetBrains took several steps that I’m aware of to remediate this: No live PoC for the Windows or OS X RCEs ‘cause I don’t want to host public-facing SMB or NFS shares :).This likely applies to any *NIX-like with an autofs mountpoint that uses -hosts, but OS X is the only OS I could find where autofs is configured like this in the default install. You could just click a “view in browser” button inside WebStorm and it would navigate your browser to Any scripts or subresources that the page tried to include would similarly be served up via URLs like Fancy. What the heck is this HTTP server, though? Does it serve anything sensitive? Do we even care if random pages are able to read its contents? What’s that HTTP server?Īfter searching the web for references to that port number, we find that this is related to a WebStorm feature added in early 2013 (WebStorm is another of JetBrains’ IDEs.) The idea was that you wouldn’t need to set up your own web server to preview your pages in a browser. P圜harm’s HTTP server is essentially saying that web pages on any origin (including ) are allowed to make credentialed requests to it and read the response. Thinking that I must have some interesting services running on my own device, I ran lsof -P -ITCP | grep LISTEN to see what programs were listening on a local TCP port. I had just started working on some inter-protocol exploitation research and was looking for some interesting targets. Obviously you’ll want to do this in a VM. To follow along with this you’ll need a copy of P圜harm 5.0.4, or an old build of P圜harm 2016.1 since this has been patched for a while now. The arbitrary code execution vuln affecting Windows and OS X was in all IDE releases since at least July 13, 2015, but was probably exploitable earlier via other means.Īll of the issues found were fixed in the patch released May 11th 2016. It’s my belief that all JetBrains IDEs with always-on servers since then are vulnerable to variants of these attacks. I’ve tracked the core of most of these issues (CORS allowing all origins + always-on webserver) back to the addition of the webserver to WebStorm in 2013. The only prerequisite for the attack was to have the victim visit an attacker-controlled webpage while the IDE was open.Īffected IDEs included P圜harm, Android Studio, WebStorm, IntelliJ IDEA and several others. From at least 2013 until May 2016 JetBrains’ IDEs were vulnerable to local file leakage, with the Windows (EDIT: and OS X) versions additionally being vulnerable to remote code execution.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |