[RESOLVED] Redirect triggers LOCAL rule

Discussions about the Application Boundaries Enforcer (ABE) module

[RESOLVED] Redirect triggers LOCAL rule

Postby siu » Fri May 11, 2012 8:09 am

When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all
Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny


I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue. I've tried with a freshly created FF profile and it is still happening.

I've noticed that bottlepy.org is returning a redirect in the headers but there is no content on the page and I guess this makes Firefox render chrome://browser/content/browser.xul.

Do you think it is a problem in my system, a bug in FF/NoScript or something I should report to bottlepy.org?
Last edited by siu on Fri May 18, 2012 9:54 am, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
 
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby Tom T. » Fri May 11, 2012 8:36 am

siu wrote:When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all
Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny

Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.

Have you added any ABE rules beyond the default SYSTEM rule?
siu wrote:I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue.

Wouldn't that point to an issue in archlinux? -- as you don't get it in Ubuntu, and I don't get it in Windows?
I've tried with a freshly created FF profile and it is still happening.

Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.
.... something I should report to bottlepy.org?

Not at this time. So far, it's pointing to something in that Linux distro, or as mentioned, an extension conflict in that particular profile.

If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby siu » Fri May 11, 2012 9:44 am

Thanks for your answer, let's try to find where is the error.

Tom T. wrote:Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.


Notice that I don't even get to that point, I only see an empty page with the ABE warning on the top.

Tom T. wrote:Have you added any ABE rules beyond the default SYSTEM rule?


No, I've never touched the ABE rules.

Tom T. wrote:
I've tried with a freshly created FF profile and it is still happening.

Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.


This is exactly what I've done, I created a new profile and installed NoScript 2.4.1 from mozilla addons.

Tom T. wrote:If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.


I've been able to reproduce it on two other systems:

- CentOS, FF 12.0 downloaded from the official website
- Red Hat EL, using FF 10.0 distributed with the system

Once again I tested with new profiles where I've only installed NoScript 2.4.1.

It also happens when I search for that URL in google and I follow the link but in this case the warning instead of chrome://... shows what looks like the referrer URL.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
 
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby siu » Fri May 11, 2012 5:37 pm

I've spent a few hours debugging and I could finally find out why the LOCAL rule was being applied.
I think the issue is in the parsing of IPv6 addresses in DNS.js. IPv6 is enabled in my pc and that makes the function DNSRecord.isLocal() iterate over all the possible addresses, i.e. the IPv4 and the IPv6 address. That's ok. But then the DNS.isLocalIP(addr) fails to detect the IPv6 address as IPv6 because in this specific case it starts with "fe80:" but it is searching only for "2002:". I think that the regexp on the top of that function can be applied to IPv6 as but it seems that it doesn't work in this case.

I could fix it by replacing the comparison
Code: Select all
addr.indexOf("2002:") === 0
by
Code: Select all
addr.indexOf(":") != -1
, as in:

Code: Select all
  _localIPRx: /^(?:(?:0|127|10|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168)\..*\.[^0]\d*$|(?:(?:255\.)3255|::1?)$|f(?:[cd]|e(?:[c-f]|80:))[0-9a-f]*:)/i,
  isLocalIP: function(addr) {

    // see https://bug354493.bugzilla.mozilla.org/attachment.cgi?id=329492 for a more verbose but incomplete (missing IPV6 ULA) implementation
    // Relevant RFCs linked at http://en.wikipedia.org/wiki/Private_network
    return (addr.indexOf(":") != -1
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) ||
      this.localExtras && this.localExtras.testIP(addr) ||
      WAN.ipMatcher && WAN.ipMatcher.testIP(addr);
  },


It is probably not the best way to fix it but at least it removes this false positive.

Is it there a bugtracker where to post and discuss about this?
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
 
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby dhouwn » Fri May 11, 2012 5:47 pm

Very nice analysis!
siu wrote:Is it there a bugtracker where to post and discuss about this?
Sadly, no. This here is basically the bug tracker.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0
dhouwn
Bug Buster
 
Posts: 940
Joined: Thu Mar 19, 2009 12:51 pm

Re: redirect and chrome://browser/content/browser/browser.xu

Postby Giorgio Maone » Fri May 11, 2012 8:50 pm

Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:
Code: Select all
return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        )

where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.

Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.

Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?
Code: Select all
top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource()))
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7328
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: redirect and chrome://browser/content/browser/browser.xu

Postby Tom T. » Sat May 12, 2012 1:18 am

Giorgio Maone wrote:... Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?
Code: Select all
top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource()))

I get
Code: Select all
Error: missing ; before statement
Source File: javascript:%20Timestamp:%2(local date/time)%20PM%20Error:%20attempt%20to%20run%20compile-and-go%20script%20on%20a%20cleared%20scope%20Source%20File:%20chrome://noscript/content/DNS.js%20Line:%20238
Line: 1, Column: 22
Source Code:
Timestamp: (local date/time) PM Error: attempt to run compile-and-go script on a cleared scope Source File: chrome://noscript/content/DNS.js Line: 238

So far, the problem has occurred only on *nix systems, and not on my 32-bit Win, or (apparently) your 64-bit Win with full IPV6 support (I don't have that on this older machine.)
If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby Giorgio Maone » Sat May 12, 2012 6:43 am

Tom T. wrote:If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce?

Because of a difference in ours and his DNS configuration, for instance.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7328
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: redirect and chrome://browser/content/browser/browser.xu

Postby siu » Sat May 12, 2012 8:52 am

Giorgio Maone wrote:Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:
Code: Select all
return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        )

where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.



Ok, I wasn't sure about this part.

Giorgio Maone wrote:Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.


Yes, it is indeed failing when checking the destinationIP.

Giorgio Maone wrote:Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?
Code: Select all
top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource()))


I will perform this test at work on Monday where I see this issue. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
 
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby Tom T. » Sat May 12, 2012 10:01 am

siu wrote:. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).

It seems to be a strange combination of hosting in the US, with DNS servers in Germany.

IP address: 173.214.207.14
Host name: bottlepy.org

173.214.207.14 is from United States(US) in region North America

TraceRoute to 173.214.207.14 [bottlepy.org]
<snip>
11 25 25 25 173.214.207.14 unknown.carohosting.net


Retrieving DNS records for bottlepy.org...

DNS servers
ns2.hans.hosteurope.de [80.237.128.10]
ns1.hans.hosteurope.de

Answer records
bottlepy.org NS ns1.hans.hosteurope.de 259200s
bottlepy.org NS ns2.hans.hosteurope.de 259200s

bottlepy.org SOA server: ns1.hans.hosteurope.de 86400s


Results returned from whois.arin.net:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=173.2 ... xt=netref2
#

Carolina Internet, Ltd. CARO-NET-ARIN-7 (NET-173-214-192-0-1) 173.214.192.0 - 173.214.207.255
CaroNet Managed Hosting, Inc. CI-173-214-204-0-22 (NET-173-214-204-0-1) 173.214.204.0 - 173.214.207.255

OrgName: CaroNet Managed Hosting, Inc.
OrgId: CIL-56
Address: 900 Center Park Dr
Address: Suite A
City: Charlotte
State: NC (North Carolina -- you know, the State where John Edwards used to be a Senator. :D )
PostalCode: 28217
Country: US


I don't see why visiting it from a public organization in France would cause it to point to your LAN, unless your LAN includes those French and Spanish sites.
See PM for a bit more.

I could be mistaken, but I think Giorgio was suggesting that it was something in the DNS configuration: on the machines configured one way, it doesn't happen, but on those configured another way, it does. Try experimenting with a different DNS server? (OpenDNS, etc.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Postby siu » Fri May 18, 2012 9:51 am

I would say this issue is solved, we've been discussing in private and this is what we've found:

The output of this command:
Code: Select all
top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) { alert(r.toSource())} )

is:
Code: Select all
({ts:1337158919407, entries:["173.214.207.14", "fe80::226:b9ff:fe53:ebd3"], expireTime:1337158979407})


Of those, the first IP address is a valid IPv4 address but the second is a IPv6 link-local address (as of the standard: http://en.wikipedia.org/wiki/Private_network#IPv6). Indeed the AAAA DNS record for that domain looks like this:

Code: Select all
; <<>> DiG 9.3.2 <<>> @8.8.8.8 bottlepy.org AAAA
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48086
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bottlepy.org.         IN   AAAA

;; ANSWER SECTION:
bottlepy.org.      82690   IN   AAAA   fe80::226:b9ff:fe53:ebd3

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 18 11:15:11 2012
;; MSG SIZE  rcvd: 58


Which should not be used on the internet and is triggering the LOCAL rule of the ABE.

Related topic: viewtopic.php?f=23&t=8729

Thanks a lot to Giorgio Maone and Tom T. for the support.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
 
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: [RESOLVED] Redirect triggers LOCAL rule

Postby Giorgio Maone » Fri May 18, 2012 8:49 pm

Mystery solved, indeed:
bottlepy wrote:@ma1 @dakami The http://bottlepy.org fe80:/10 AAAA thing was just stupidity on my part :)

Giogio Maone wrote:@bottlepy @dakami @davidsinuela 10x for solving this mystery. http://wm161.net same issue? Should ABE automail DNS tech contacts?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7328
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: [RESOLVED] Redirect triggers LOCAL rule

Postby GµårÐïåñ » Fri May 18, 2012 9:17 pm

How is this resolved exactly? Just wondering because the case I wrote Giorgio in private about was forums.informaction.com triggering LOCAL and it still does it, mostly on redirects but sometimes on just Ctrl+Click of a link to open in a new tab, sometimes just straight up click, so I am not sure what's going on but I think we are glossing over this way too quickly. Just saying. I tried to resolve this in private with Giorgio LONG before a bunch of posts about this and that showed up on the site but no resolution and now that its gone public, I would personally like to know the why, not just, oh I assume this is the problem. I mean for 15 years my DNS has been fine, suddenly my DHCP/DNS is f-ed up? Seriously? Not buying that.

EDIT: Apparently while I was posting this Giorgio was posting his reply, so my reply was pre Giorgio reply you see below/above depending on how you have your posts sorted.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
[ Major's Blog ] .:. [ Security Pack ] .:. [ Productivity ]
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 2923
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: [RESOLVED] Redirect triggers LOCAL rule

Postby Tom T. » Fri May 18, 2012 11:55 pm

@ [b]GµårÐïåñ:

I've never had that issue, so whatever it is, it appears to be unrelated to this thread. But as was done here, check your DNS configuration, try other DNSs, etc., and if there is a discrepancy, then you can get it fixed as was done here.


@siu:

You're quite welcome, and some good came out of it: DNS "stupidity" corrected. Isn't it good that Giorgio has enough pull to get through where most of us couldn't? ;)


@ Giorgio: :
Should ABE automail DNS tech contacts?

Apparently. :D

I'm glad that it wasn't the things I suggested in PM - DNS hack, cache poisoning, ARP poisoning, etc. ... but OTOH, if it were, would the DNS Admin or bottlepy Admin admit it? Can't imagine deliberately or even accidentally registering a local link address with a DNS. Just wondering ...

Thanks for your help in seeing this through to full resolution.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am


Return to ABE

Who is online

Users browsing this forum: No registered users and 4 guests