Upgrade to Pro — share decks privately, control downloads, hide ads and more …

One Weird Kernel Trick: Hijacking IPython Websockets

One Weird Kernel Trick: Hijacking IPython Websockets

Lightning talk at #SciPy2014. Vulnerability disclosure of cross domain websocket hijacking in the IPython notebook. https://twitter.com/rgbkrk/status/487369535456935936

See also: http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

Kyle Kelley

July 10, 2014
Tweet

More Decks by Kyle Kelley

Other Decks in Programming

Transcript

  1. One Weird Kernel Trick
    Hijacking IPython Websockets

    View Slide

  2. The IPython Notebook
    • Runs code on your (laptop | server | cluster | pi)
    • From your browser…
    • JavaScript -> Notebook Server -> Kernel
    • Kernel.execute

    View Slide

  3. Kernels and websockets

    View Slide

  4. Kernel
    Notebook Server
    !
    http://127.0.0.1:8888
    Kernel

    View Slide

  5. Hijacking Websockets

    View Slide

  6. Kernel
    Notebook Server
    !
    http://127.0.0.1:8888
    Kernel
    MALICIOUS Server
    !
    kerneltricks.com
    NEW TAB!!!

    View Slide

  7. ws://127.0.0.1:8888/kernels

    View Slide

  8. Kernel
    Notebook Server
    !
    http://127.0.0.1:8888
    Kernel
    MALICIOUS Server
    !
    kerneltricks.com

    View Slide

  9. !

    View Slide

  10. Mitigations
    • Kernel ID is a UUID, randomly generated
    • Using an authenticated notebook server protects
    you from this issue
    • Fixed in IPython 1.2+, 2.x series

    View Slide

  11. Let’s talk security

    View Slide

  12. View Slide