Hacker News new | ask | show | jobs
by delinka 4884 days ago
"Any page on the Internet which serves Javascript can, currently, root your Macbook if it is running an out-of-date Rails on it."

Why are you running Rails as the root user? This is a bad idea.

EDIT: I'm not really into client-side JavaScript these days, but when did browsers start allowing JavaScript to connect to anything except the server from which it came? That would be yet another Bad Idea.
3 comments
btilly 4884 days ago
You have bad assumptions. It is all about leveraging access to higher and higher levels.

1. You load the evil JavaScript.

2. That JavaScript adds an image with a URL pointing at localhost:3000.

3. When you load that URL, it causes code execution, causing your computer to open a connection somewhere and start taking instructions.

4. The instructions that arrive includes downloading and installing software that takes advantage of known local root vulnerabilities in OS X.

5. Congratulations! Someone rooted your machine!

Nothing in this path required Rails to be run as root, or JavaScript to directly connect anywhere.

link
delinka 4884 days ago
You're right. I wasn't seeing all the angles here. But to say this is limited to Macs seems disingenuous.
link
patio11 4884 days ago
It is a tongue-in-cheek reference to widespread perceptions about Rails developers' hardware of choice.
link
btilly 4884 days ago
He didn't say it was limited to Macs. He gave it as a random example of what could happen.
link
delinka 4884 days ago
I'm pretty sure OP specifically said "Macbook" in the article. But see patio11's comment beside yours.
link
trapexit 4884 days ago
Getting from local user access to root access on an interactively-used Mac is almost trivial. Inject something into the user's bashrc/zshrc that watches their commands and waits for them to successfully use sudo. Then run sudo again immediately and do arbitrary things as root.

There are several tricks that can be used by JavaScript to connect to non-origin servers, in limited ways.

To create a GET, inject an <img>, <script>, <iframe>, or <style> tag. (Or several others.)

To create a POST, inject a <form> tag, and call form.submit()

link
ynniv 4884 days ago
Local privilege escalation is much easier than remote code execution. Once someone has the ability to execute code as a restricted user, there is generally at least one easily exploitable bug to get root. This is because people don't take local privilege escalation as seriously as remote code execution, and tend not to fix or patch them as quickly.
link