Safety-relevant bug in net library of go and rust

Safety-relevant bug in Net library of Go and Rust

The library Net Kummers in the programming languages Go and Rust around the handling of IP addresses and TCP and UDP connections. In the implementation of IPv4 addressing, however, the code deviated from the DE-factto standard and treated addresses in octal representation incorrectly. This had to take advantage of the attacker to redirect traffic to your IP addresses.

The error found the security researchers Cheng Xu, Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, Nick Sahler and Opennota, informed the maintainers of Rust and GO and presented their findings within the framework of the Conference DEF CON after patches are ready for languages.

Oktale ambiguity

IPv4 addresses can be specified in different formats. Uphalt is a representation with four blocks in the decimal system with values between 0 and 255. Rarely and more a historical relic, but also possible, is an indication in four blocking in the octal system. 255 in the decimal system corresponds to 377 in octal view. Because one does not look at a number of axes, whether it is noted in the decimal or octal system, the established method is to be applied to the four blocks each with a leading zero. The Heise IP Address you can also as 0301.0143.0220.0120. Browser can handle it for example. It logs out in both a heise server (the displayed certificate error arises because the browser does not play the host header in the direct opening of an IP address).

With this ambiguity and the presentation with leading zeros also involves a document of the IETF. There, the unambiguous addresses and also the solution, octal adrenal nullen will be preserved, criticized, but they are "FAR TOO WIDESPREAD TO IGNORE." As a developer of an IPv4 library, you have to deal with this special case.

But that did not do the developers of the NET libraries that are used in Go and Rust. Instead of treating the four-digit blocks as octal numbers, they love the leading zero simply fall under the table and treated the numbers like decimal numbers. In many cases, the simply to disobey leads – the address 301.143.220.120 does not exist because 301 is gross than 255. Safety-relevant and diffidence can be used if the affected libraries are used to validate IP addresses, for example in order to allow access to the IP address. In the worst case, a server interprets an octale address wrong and contacts the wrong server.

The explorers see the danger that attackers successfully implement a server-side request forgery attack and could bring a server to contact an external address under control of attackers instead of a trustworthy. Thus that succeeded, but attacker had to have an exactly suitable IP address in your possession to redirect traffic. That sounds unlikely, it is in the context of mass trials in many systems but quite in the area of the possible that attacker are successful at some point.

Update programming language

Developers who build systems in Rust or Go, accept the IP addresses from the user and process them with the library NET should update the current version of Rust and Go and their applications recompile with it.

In go, the problem is only in the beta 1.17 repaired. For Rust has with-explorer Cheng Xu on 29. Marz proposed a fix, already on 31. Marz was adopted. From Rust 1.53 Is the problem eliminated.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: