CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks

OpenOCD can be targeted by a Cross Protocol Scripting attack from
a web browser running malicious code, such as the following PoC:

var x = new XMLHttpRequest();
x.open("POST", "http://127.0.0.1:4444", true);
x.send("exec xcalc\r\n");

This mitigation should provide some protection from browser-based
attacks and is based on the corresponding fix in Redis:

https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758

Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
Signed-off-by: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Reported-by: Josef Gajdusek <atx@atx.name>
Reviewed-on: http://openocd.zylin.com/4335
Tested-by: jenkins
Reviewed-by: Jonathan McDowell <noodles-openocd@earth.li>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>

diff --git a/src/server/startup.tcl b/src/server/startup.tcl
index 64ace40795e35a26033a8f6f69027f495a9e5cfc..dd1b31e417dd15942a3906dbf3b25a5734aa062e 100644 (file)
--- a/src/server/startup.tcl
+++ b/src/server/startup.tcl
@@ -8,3 +8,14 @@ proc ocd_gdb_restart {target_id} {
        # one target
        reset halt
 }
+
+proc prevent_cps {} {
+       echo "Possible SECURITY ATTACK detected."
+       echo "It looks like somebody is sending POST or Host: commands to OpenOCD."
+       echo "This is likely due to an attacker attempting to use Cross Protocol Scripting"
+       echo "to compromise your OpenOCD instance. Connection aborted."
+       exit
+}
+
+proc POST {args} { prevent_cps }
+proc Host: {args} { prevent_cps }