Search
Critical Vulnerability found in the ‘net’ package in Go and Rust.
4 min read

Critical Vulnerability found in the ‘net’ package in Go and Rust.

Akhil Sharma

The popular ‘net’ library used in GO and Rust was recently impacted by the mixed-format IP address validation vulnerability, a critical bug that made many applications extremely vulnerable. In this article, we will break it down and understand all about it.

Understanding the Vulnerability

If you perform a simple search for “import net” on GitHub, it’ll reveal over 4 million files for Go alone relying on the net library, this means it’s a vulnerability of significant proportions.

The bug occurs due to the fact that the net library treats IP addresses as decimals, even when they are provided in a mixed (octal-decimal) format, the exact mechanics of this have been explained later in the article with examples.

This bug made applications relying on the net library vulnerable to indeterminate Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) vulnerabilities.

What is SSRF and RFI

Just a quick note on SSRF and RFI -

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL to which the code running on the server will read or submit data, and by carefully selecting the URLs,

the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed

and the File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something like outputting the contents of the file, but depending on the severity, it can also lead to:

  • Code execution on the web server
  • Code execution on the client side such as JavaScript can lead to other attacks such as cross-site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure

Detailed Analysis of the Vulnerability

Now that we know how problematic this issue can become, let’s discuss more about it. So this particular vulnerability, tracked by CVE-2021-29922 (for Rust) and CVE-2021-29923 (for Golang) develops from how net handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero.

Now, the most common way to represent IPV4 addresses is in the decimal format.

For example, Armur AI’s IPV4 address in decimal format is 112.99.43.117 but it can also be represented in the octal format as 160.143.53.165.

If we now take the most common IPV4 address- 127.0.0.1 which is the address for localhost and you put a ‘0’ in front of it (prefix ‘0’) - you get 0127.0.0.1 but it’s interesting to see how your browser handles it -

it becomes 87.0.0.1

img

so if we put a zero in front of it, it becomes octal but then it’s converted to its decimal “equivalent” (equivalent being the keyword here) and handled as a decimal - which is 87.0.0.1 and this is how most applications are supposed to handle it - this is the expected behaviour.

But in the case of the net library, any prefixed zeros are simply trimmed off and all numbers that were supposed to be treated as octal would be treated directly as decimal (not the decimal “equivalent” of the octal number) and therein lies the problem.

Implications for Developers

At the same time, if a developer uses the net library to validate if an IP address belongs to a certain range (e.g. parsing a list of IPs against an access control list (ACL)), the result may come out wrong for octal-based representations of IPv4 addresses.

This can cause indeterminate Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) vulnerabilities in applications. Go and Rust aren’t the only languages to be impacted by this bug.

This mixed-format IP address validation bug had previously impacted Python’s ipaddress library and was also found in other languages.

Across all languages, the bug has been rated as having a High or Critical severity. This was patched in GO’s 1.17 version and in Rust it was patched in version 1.53.0 and it’s recommended that the developers use GO and Rust versions above these to ensure not being affected by this bug.

Armur: Enhancing Security For Developers

To improve the security and reliability of your code, there’s no better solution than Armur. Armur provides developers with next-generation security tools that help protect and enhance their work. One of the key features of Armur is its code-scanning tool.

This tool allows you to scan your thoroughly, identifying any security issues that may be present. Furthermore, it offers detailed recommendations on how to fix these issues, ensuring that your code remains robust and secure. Available tooling support for languages includes Rust, Go, Python, Javascript and Solidity.

To stay updated with the latest security discussions, you can join our discord server where we share valuable insights and learning resources such as SecOps, DevSec and Red Teaming. Additionally, you can try out Armur and get free 100 credits.

Armur Image

Latest Posts

Critical Zero-Day Vulnerability CVE-2024-9680 Exploited in Firefox and Tor Browser
5 min read

Critical Zero-Day Vulnerability CVE-2024-9680 Exploited in Firefox and Tor Browser

Securing AI-Generated Code
6 min read

Securing AI-Generated Code

Get Interesting Blogs