Re: Trusting localhost?

> If you are creating an application that communicates using TCP, but
> only want to take requests from the localhost, are there reasons why
> you would not want to check that the incoming request is from
> localhost and then trust it? This is in a Windows environment.

Hello there Craig.

I guess it's all about "where" you are binding your socket. If you do it on your "loopback" interface (in Windows I guess it's just called the "127.0.0.1" interface), then the socket will be unavailable to any packet arriving trough your network card(s).

If you bind your socket to 0.0.0.0 (that is, INADDR_ANY), the kernel will bind it to all interfaces available. See it:

purgatory:/usr/include# find . -type f -print | xargs grep INADDR_ANY

./netinet/in.h:#define  INADDR_ANY              ((in_addr_t) 0x00000000)
./linux/in.h:#define    INADDR_ANY              ((unsigned long int) 0x00000000)

(INADDR_ANY is the same that 0.0.0.0, typecasted).

For mor information on this, I recommend reading of Beej's Network programming guide and a great book named Unix Network Programming.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Would IP spoofing work if the application was checking for the IP
> address 127.0.0.1? If so, how likely is it that IP spoofing would
> work today, in a corporate environment?

You can always set access lists on switchs and routers to avoid traffic of packets from and to "local" (127.0.0.0/8) addresses over the network.

Altought binding the socket to your loopback interface should not expose your socket to network interfaces, I have seen several OSs with some ARP handling problems, over witch an attack can be crafted to access sockets binded on other interfaces.

> Thank you for any direction you can provide.

Best of luck,
Felipe

-- 
Felipe Franciosi