can localhost be spoofed?
Solution 1
No.
It is possible to send data as fake 127.0.0.1, but the reply will go "out" (stay inside actually) the loopback interface, and be 'lost'.
If there is a router on the way, it will send the packet through it's own loopback interface, and it will be lost there.
Solution 2
Yes. Surprisingly, it is possible to spoof a loopback source address. Obviously you won't get any replies, so your spoofed packet also needs to include an exploit. Also it will be stopped at a router, so you need to be on the same local network as the victim. The remote hole CVE-2014-9295 was exploitable in this way.
It turns out OS X and the Linux Kernel behave similarly in this case. Any IP packet arriving on an external interface and with the source IP 127.0.0.1 will be dropped immediately. But if we use IPv6 instead we can actually spoof ::1 and send control mode packets to the daemon (some Linux distributions have firewall rules in place that protect against this, e.g. Red Hat). Thus, if we are on the same local network, we can send spoofed packets to the link-local address of the target and bypass the IP restrictions.
http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html
Solution 3
Loopback data usually never makes it to the network. It is intercepted and, well, looped back, before that happens. Since it never hits the actual network nothing on the network can intercept it.
Solution 4
No. The loopback is hardcoded in /etc/hosts - this is the first place the resolver will look for loopback to ip translation. Unless you are able to edit the /etc/hosts you cannot do it.
If you can edit /etc/hosts then you are an administrator so you can do anything ..
Related videos on Youtube
04 : 23
![Easily expose your localhost services to the Internet [Hindi]](https://i.ytimg.com/vi/KjAbdyTH9fE/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDcLgI_ivMyJgZFBdx2jdDdPoyhdA)
07 : 12
02 : 32
01 : 31
02 : 13
bee.catt
Updated on September 18, 2022Comments
-
bee.catt almost 2 years
Is it possible for a remote machine to access another machine's localhost data by spoofing the loopback ip?
Say if I wanted a setup where if I'm connecting from somewhere outside my own network, I will have to supply login credentials and my password will be required for all sensitive operations. However, if I am connecting from my computer, these credentials aren't needed because I have to login to my OS to access the network on that device anyway. Can I rely on the loopback address as a security measure in this way? Or is it possible for an attacker to make it appear as though they are connecting locally?
-
SpacemanSpiff almost 12 yearsI do not believe so.
-
David Schwartz almost 12 yearsDo you mean get the machine to receive a spoofed packet that appears to have come from 127.0.0.1? Or do you mean get the machine to receive a spoofed packet that is addressed to 127.0.0.1?
-
David Schwartz almost 12 yearsIt's not clear what "break into my localhost data" means. Does that mean make your machine receive a packet that appears to come from 127.0.0.1?
-
-
bee.catt almost 12 yearsok, so if I am understanding all this correctly, an attacker could potentially send something IN, but they wouldn't be able to get anything back OUT, because the nature of the loopback is that it only talks to itself. If this is correct, then could an attacker send in malicious code that makes it possible to connect remotely, or even just some code that generally breaks things?
-
mulaz almost 12 yearsyou have a routing table in your pc, which says which packets go out where. (route -n on *nix). You have an entry there for 127.0.0.0/8 to go out through the loopback interface (does not actually go out, since it's a loopback). So, if the attacker from your lan sends a packet to your pc, your PC can accept it, but the return packet will be lost, since it will stay inside your pc (sent 'out' from the loopback)
-
Hennes almost 12 yearsAn interesting idea. However the loopback interface has no MAC address. So you would have to have the target computers (technical target NIC) MAC in combination with an IP which does not belong to that MAC and hope that the receiving network stack accepts it. And then the package needs to be accepted by something expecting data and probably also listening on the real IP. Still, a nice thought. -
mulaz almost 12 yearsYou can use the mac from the ethernet card (when you send a packet to, lets say googles 8.8.8.8, you send it to your routers MAC with 8.8.8.8 as dst. IP. The machine needs to have ip forwarding enabled ofcourse.
-
sdaffa23fdsf over 9 yearswhat about attacks at control plane? With a crafted source address as 127.0.0.1 it is possible to bypass some ACLs?
-
Mikko Rantalainen over 3 yearsWith custom driver software and collaborating NIC hardware, it's surely possible to send ethernet frames carrying IP packages that have localhost address. It's up to the receiving end not to interpret those as true localhost packages. Not all OS do this correctly.
