Can the loopback interface be hijacked?

There are lots of speculations, let's try it.

Assigning 127.0.0.1/8 to the network interface

On Debian it works as root to assign 127.0.0.1/8 to the network interface:

# ifconfig lo 10.0.0.1 netmask 255.0.0.0
# ifconfig eth0 127.0.0.2 netmask 255.0.0.0

and results in:

lo        Link encap:Lokale Schleife  
          inet Adresse:10.0.0.1  Maske:255.0.0.0
...
eth0      Link encap:Ethernet  Hardware Adresse 
          inet Adresse:127.0.0.2  Bcast:127.255.255.255  Maske:255.0.0.0
...

ping 127.0.0.1, however, fails with an Illegal Argument error:

 $ ping 127.0.0.2
 PING 127.0.0.2 (127.0.0.2) 56(84) bytes of data.
 64 bytes from 127.0.0.2: icmp_seq=1 ttl=64 time=0.030 ms

 $ ping 127.0.0.1
 connect: Invalid argument

So this is something that needs to be look at in more detail by analyzing the source code.

Pointing "localhost" to another ip-address

Editing /etc/hosts as root so that it points localhost to another ip-address works:

ping localhost
PING localhost (209.85.149.147) 56(84) bytes of data.
64 bytes from localhost (209.85.149.147): icmp_seq=2 ttl=57 time=165 ms

Whether this is an issue or not depends on the situation: The client may send a password without validating the server by either not using ssl or trusting any certificate (There are testing-certificates for localhost out there that are signed by trusted CAs). This password might be reused elsewhere or the server may accepting connections from other interfaces because it is password protected anyway.

In the standard configuration the host file has precedence over NIS and DNS, which requires local root access and makes this kind of attack pointless. But if the priority was changed, this is exploitable using the DNS or NIS servers.


I believe you would need to compromise the kernel to do this (of course, if you can compromise the kernel, you can do anything). I just did some testing with IPTables and it appears that loopback traffic bypasses the NAT / PREROUTING capabilities, so I think it's out of userspace control (in Linux). OSes will vary, of course, but I think in general you do need to compromise the kernel to do what you want to do.