can localhost be spoofed?

Question

Is it possible for a remote machine to access another machine's localhost data by spoofing the loopback ip?

Say if I wanted a setup where if I'm connecting from somewhere outside my own network, I will have to supply login credentials and my password will be required for all sensitive operations. However, if I am connecting from my computer, these credentials aren't needed because I have to login to my OS to access the network on that device anyway. Can I rely on the loopback address as a security measure in this way? Or is it possible for an attacker to make it appear as though they are connecting locally?

score 14 · Accepted Answer · answered Jul 26 '12 at 23:52

No.

It is possible to send data as fake 127.0.0.1, but the reply will go "out" (stay inside actually) the loopback interface, and be 'lost'.

If there is a router on the way, it will send the packet through it's own loopback interface, and it will be lost there.

sourcejedi · Answer 2 · 2016-01-27T11:31:14.127

Yes. Surprisingly, it is possible to spoof a loopback source address. Obviously you won't get any replies, so your spoofed packet also needs to include an exploit. Also it will be stopped at a router, so you need to be on the same local network as the victim. The remote hole CVE-2014-9295 was exploitable in this way.

It turns out OS X and the Linux Kernel behave similarly in this case. Any IP packet arriving on an external interface and with the source IP 127.0.0.1 will be dropped immediately. But if we use IPv6 instead we can actually spoof ::1 and send control mode packets to the daemon (some Linux distributions have firewall rules in place that protect against this, e.g. Red Hat). Thus, if we are on the same local network, we can send spoofed packets to the link-local address of the target and bypass the IP restrictions.

http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html

score 3 · Answer 3 · answered Jul 26 '12 at 23:53

3

Loopback data usually never makes it to the network. It is intercepted and, well, looped back, before that happens. Since it never hits the actual network nothing on the network can intercept it.

answered Jul 26 '12 at 23:53

Hennes

4,852

score 1 · Answer 4 · answered Jul 26 '12 at 23:53

No. The loopback is hardcoded in /etc/hosts - this is the first place the resolver will look for loopback to ip translation. Unless you are able to edit the /etc/hosts you cannot do it.

If you can edit /etc/hosts then you are an administrator so you can do anything ..

can localhost be spoofed?

4 Answers4

Linked