Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 3 days ago

I'm directionally with Micah Lee on this in that I think all of these kinds of applications are activism theater, and I would hate for anything I say to sound like I'm getting the "ICEBlock" guy's back --- I'm sure it's bad and you shouldn't use it (though: Micah Lee's previous takedown of ICEBlock more or less comes down to "anybody can claim they saw ICE anywhere and also they don't have warrant canaries", which is... not interesting).

But I'm struck that Lee reported CVE-2024-38476 to the author, with a simple link to the NVD site, based on a banner grab.

For those unfamiliar, 2024-38476 is part of a batch of vulnerabilities Orange Tsai announced at Black Hat that year. You can (and very much should) read more about them here:

https://blog.orange.tw/posts/2024-08-confusion-attacks-en/ [†]

This is extremely good (and elegant) vulnerability research. It's also very situational. Lee reports that 38476 "could take over your server". Could it? Did Lee check? 38476 is a second-order vulnerability that pivots CRLF injection in another vulnerable application to an Apache handler override (just read it, it's fucking awesome). If you've got `mod_proxy` enabled, you've got a decent shot at SSRF with it --- SSRF is game-over on a corporate network, but situational when the target is a hobby server. Otherwise, the most likely outcome of it is being able to dump source code (by rewiring the request handling of something from, say, PHP back to HTML). The RCE's on these vulnerabilities are things like "if you were running Redmine, which installs into /usr/share on Ubuntu, you can pull the Rails signing key". Is... that happening here?

Or is this report basically "I did a banner grab, then Googled that version, then made a whole big thing about it to embarrass the author of ICEBlock"?

Which I mean if that's the goal, mazel tov, I don't like these things either, but let's just be clear on what's actually happening here. If not: it would be super interesting to hear a real-world exploitation scenario of Orange Tsai's rewrite bugs against ICEBlock, and Lee should keep on writing.

[†] I wrote about this at the time here: https://news.ycombinator.com/item?id=41199205