• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2021-29923 – golang standard library “net” – Improper Input Validation of octal literals in golang 1.16.2 and below standard library “net” results in indeterminate SSRF & RFI vulnerabilities.

by Sick Codes
August 7, 2021 - Updated on October 4, 2021
in Security
0
CVE-2021-29923 – golang standard library “net” – Improper Input Validation of octal literals in golang 1.16.2 and below standard library “net” results in indeterminate SSRF & RFI vulnerabilities.

CVE-2021-29923 – golang standard library “net” – Improper Input Validation of octal literals in golang 1.16.2 and below standard library “net” results in indeterminate SSRF & RFI vulnerabilities.

Title

CVE-2021-29923 golang standard library “net” – Improper Input Validation of octal literals in golang 1.16.2 and below standard library “net” results in indeterminate SSRF & RFI vulnerabilities.

CVE ID

CVE-2021-29923

CVSS Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Internal ID

SICK-2021-016

Vendor

golang

Product

golang standard library: net

Product Versions

1.16.3 and below

Vulnerability Details

Improper input validation of octal strings in golang standard library “net” allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on golang builtin net.ParseCIDR function. CIDR IP individual octects are left stripped instead of evaluated as valid IP octets. For example, an attacker submitting an IP CIDR to a web application that relies on net.ParseCIDR(ipaddress), could cause SSRF via inputting octal input data; A remote, local, authenticated or unauthenticated attacker can submit a myriad of exploitable IP addresses to applications that rely on golang net standard library. For example, an attacker can submit 00000177.0.0.1, which is 127.0.0.1 (RFI), yet net.ParseCIDR(00000177.0.0.1/24) will evaluate this as 177.0.0.1/24, when this is infact 127.0.0.1/24.

Vendor Response

Accepted to be fixed in 1.17 https://github.com/golang/go/issues/30999

Proof of Concept

//usr/bin/go run $0 $@ ; exit
// Authors:      https://twitter.com/sickcodes, https://twitter.com/kaoudis
// License:      GPLv3+

package main

import "fmt"
import "net"

func main() {
  fmt.Println("octet 1: ")
  var input = "00000177.0.0.1/24"
  var addr, mask, err = net.ParseCIDR(input)
  fmt.Println("input: ", input, " result: ", addr, mask, err)

  fmt.Println("octet 2: ")
  var input1 = "192.0169.1.1/5"
  var addr1, mask1, err1 = net.ParseCIDR(input1)
  fmt.Println("input: ", input1, " result: ", addr1, mask1, err1)

  fmt.Println("octet 3: ")
  var input2 = "5.5.035.5/8"
  var addr2, mask2, err2 = net.ParseCIDR(input2)
   fmt.Println("input: ", input2, " result: ", addr2, mask2, err2)

  fmt.Println("trying an octal not in dot-decimal: ")
  var input3 = "035"
  var addr3, mask3, err3 = net.ParseCIDR(input3)
   fmt.Println("input: ", input3, " result: ", addr3, mask3, err3)

  fmt.Println("trying an octet in hexadecimal: ")
  var input4 = "1.0xff.2.3/19"
  var addr4, mask4, err4 = net.ParseCIDR(input4)
  fmt.Println("input: ", input4, " result: ", addr4, mask4, err4)

  fmt.Println("trying a hexadecimal not in dot-decimal: ")
  var input5 = "0xffff"
  var addr5, mask5, err5 = net.ParseCIDR(input5)
   fmt.Println("input: ", input5, " result: ", addr5, mask5, err5)
}

Disclosure Timeline

  • 2019-03-22 – @opennota opens issue in 2019: net: reject leading zeros in IP address parsers #30999
  • 2021-03-29 – Researchers discover vulnerability
  • 2021-03-29 – CVE requested
  • 2021-08-07 – Release @ DEF CON 29 https://www.youtube.com/watch?v=_o1RPJAe4kU

Links

https://golang.org/pkg/net/#ParseCIDR

https://github.com/golang/go/issues/43389

https://github.com/golang/go/issues/30999

https://go-review.googlesource.com/c/go/+/325829/

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md

https://sick.codes/sick-2021-016

https://www.youtube.com/watch?v=_o1RPJAe4kU

https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis

Researchers

opennota: https://gitlab.com/opennota https://github.com/

Cheng Xu: https://github.com/xu-cheng || https://xuc.me/

Victor Viale: https://github.com/koroeskohr || https://twitter.com/koroeskohr

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

Kelly Kaoudis: https://github.com/kaoudis || https://twitter.com/kaoudis

John Jackson: https://github.com/johnjhacking || https://www.twitter.com/johnjhacking

Nick Sahler: https://github.com/nicksahler || https://twitter.com/tensor_bodega

CVE Links

https://sick.codes/sick-2021-016

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29923

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29923

Next Post
John Deere Pega

Being "root" on two Agriculture Companies (in Good Faith). Maxing out the John Deere Operations Center Worldwide and Case Industrial in Brazil [Agricultural Security & Hacking]

Brave Browser CVE-2020-8276

CVE-2021-22929 - Brave Browser 1.27 and below permanently logs the server connection time for all v2 tor domains to ~/.config/BraveSoftware /Brave-Browser/tor/data/tor.log

Sick Codes CornCon 2021

Sick Codes Speaking @ CornCon Cyber Security Conference September 10-11, 2021 in Bettendorf, Iowa!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form