ProHoster > Блог > labaran intanet > Rashin lahani a cikin ɗakunan karatu na cibiyar sadarwa na Rust da Go harsuna wanda ke ba ku damar ketare tabbatarwar adireshin IP.

Rashin lahani a cikin ɗakunan karatu na cibiyar sadarwa na Rust da Go harsuna wanda ke ba ku damar ketare tabbatarwar adireshin IP.

An gano raunin da ke da alaƙa da sarrafa adiresoshin IP ba daidai ba tare da lambobi octal a cikin ayyukan tantance adireshi a daidaitattun ɗakunan karatu na harsunan Rust da Go. Rashin lahani yana ba da damar ketare rajistan ayyukan ingantattun adiresoshin a cikin aikace-aikacen, misali, don tsara damar yin amfani da adiresoshin mu'amala da madauki (127.xxx) ko intranets yayin aiwatar da hare-haren jabu na SSRF (Server-side request). Rashin lahani yana ci gaba da zagayowar matsalolin da aka gano a baya a cikin ɗakunan karatu na node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), masu zaman kansu-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921), Bayanai :: Tabbatarwa :: IP (Perl, CVE-2021-29662) da Net :: Netmask (Perl, CVE-2021-29424).

Dangane da ƙayyadaddun ƙayyadaddun bayanai, ƙimar kirtani na IP da ke farawa da sifili yakamata a fassara su azaman lambobin octal, amma yawancin ɗakunan karatu ba sa la'akari da wannan kuma kawai jefar da sifilin, suna ɗaukar ƙimar azaman lambar ƙima. Misali, lambar 0177 a octal tana daidai da 127 a cikin adadi. Mai kai hari zai iya neman hanya ta hanyar tantance darajar "0177.0.0.1", wanda a cikin ƙididdiga na goma yayi daidai da "127.0.0.1". Idan an yi amfani da ɗakin karatu mai matsala, aikace-aikacen ba zai gano cewa adireshin 0177.0.0.1 yana cikin subnet 127.0.0.1/8 ba, amma a gaskiya, lokacin aika buƙatun, zai iya shiga adireshin "0177.0.0.1", wanda Ayyukan cibiyar sadarwa za su yi aiki kamar 127.0.0.1. Hakazalika, zaku iya yaudarar rajistan shiga adiresoshin intanet ta hanyar ƙididdige ƙimar kamar "012.0.0.1" (daidai da "10.0.0.1").

A cikin Rust, wani batu (CVE-2021-29922) ya shafe daidaitaccen ɗakin karatu "std :: net" Fassarar adireshin IP na wannan ɗakin karatu ya watsar da sifili kafin ƙimar da ke cikin adireshin, amma idan ba a ƙayyade fiye da lambobi uku ba, misali, "0177.0.0.1" za a iya gane darajar mara inganci, da sakamakon da ba daidai ba. za a mayar da martani ga 010.8.8.8 da 127.0.026.1. Aikace-aikacen da ke amfani da std :: net :: IPAddr lokacin tantance takamaiman adireshi na mai amfani suna da yuwuwar kamuwa da hare-haren SSRF (buƙatar uwar garke), RFI (Haɗin Fayil Nesa) da LFI (Haɗin Fayil na Gida). An daidaita rashin lafiyar a cikin reshen Rust 1.53.0.

Rashin lahani a cikin ɗakunan karatu na cibiyar sadarwa na Rust da Go harsuna wanda ke ba ku damar ketare tabbatarwar adireshin IP.

A cikin Go, daidaitaccen ɗakin karatu na "net" ya shafi (CVE-2021-29923). Ayyukan net.ParseCIDR da aka gina a ciki ya tsallake jagorancin sifili kafin lambobi octal maimakon sarrafa su. Misali, mai kai hari zai iya wuce darajar 00000177.0.0.1, wanda, idan aka duba a cikin net.ParseCIDR (00000177.0.0.1/24) aikin, za a karkasa shi azaman 177.0.0.1/24, kuma ba 127.0.0.1/24 ba. Matsalar kuma ta bayyana kanta a cikin dandalin Kubernetes. An daidaita raunin a cikin Go release 1.16.3 da beta 1.17.

Rashin lahani a cikin ɗakunan karatu na cibiyar sadarwa na Rust da Go harsuna wanda ke ba ku damar ketare tabbatarwar adireshin IP.


source: budenet.ru

Add a comment