Hacker News new | past | comments | ask | show | jobs | submit login

Why is this not an RCE?





[flagged]


I suggest you re-read the article carefully. The author shows that a website can be created that will make the asus software download and execute an attacker controlled app from a server the attacker controls.

reply


He changed the origin, which means any website can communication with 127.0.0.1:53000.

reply


Did you not see the PoC video?

reply


Seems I was wrong. I am utterly surprised at the lack of security in modern browsers. Yes, that backend is misconfigured, but why this request is even allowed to take place in the first place is utterly mindblowing to me.

reply


What would you suggest the browser did? All it’s does is sends the correct origin - as it would be - downloads.asus.badsite(.)com

reply


Where did the browser go wrong, here? They followed all security practices. The browser isn't what is running the payload.

Unless, you're suggesting that nobody should be able to download programs, unless blessed by some large company?

reply


The browser is allowing remote code to talk with 127.0.0.1

reply


Right... And that's only blocked in the host asks for it via CORS, or Same-Origin policies. Because otherwise you break any combination of apps. It's up to the server on the localhost not to blindly trust. And has been since the beginning.

reply


Might have been there since the beginning, but doesn't make it less surprising or bad. That's a _ridiculously_ bad thing to allow. Any website to talk with just about ANY port on your local machine. Incredible.

reply


Because the browser tells the backend exactly where the request came from, and the backend agrees to allow requests from there.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: