ProHoster > Pūnaewele > nūhou pūnaewele > ʻO ka nāwaliwali i nā hale waihona puke o Rust a me Go nā ʻōlelo e hiki ai iā ʻoe ke kāpae i ka hōʻoia IP address

ʻO ka nāwaliwali i nā hale waihona puke o Rust a me Go nā ʻōlelo e hiki ai iā ʻoe ke kāpae i ka hōʻoia IP address

Ua ʻike ʻia nā mea nāwaliwali e pili ana i ka hana hewa ʻana o nā helu IP me nā huahelu octal i nā hana parsing address ma nā hale waihona puke maʻamau o nā ʻōlelo Rust and Go. Hiki i nā nāwaliwali ke hiki ke kāpae i nā loiloi no nā helu kūpono i nā noi, no ka laʻana, e hoʻonohonoho i ke komo ʻana i nā helu kikowaena loopback (127.xxx) a i ʻole nā ​​subnets intranet i ka wā e hoʻokō ai i nā hōʻeha SSRF (Server-side request forgery). Ke hoʻomau nei nā nāwaliwali i ka pōʻai o nā pilikia i ʻike mua ʻia i loko o nā hale waihona puke node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), ʻIkepili :: Hōʻoia :: IP (Perl, CVE-2021-29662) a me Net :: Netmask (Perl, CVE-2021-29424).

Wahi a ka kikoʻī, pono e unuhi ʻia nā koina string IP IP e hoʻomaka ana me ka zero ma ke ʻano he helu octal, akā ʻaʻole i noʻonoʻo nā hale waihona puke i kēia a hoʻolei wale i ka zero, e mālama ana i ka waiwai ma ke ʻano he helu decimal. No ka laʻana, ua like ka helu 0177 i ka octal me 127 i ka decimal. Hiki i ka mea hoʻouka ke noi i kahi kumuwaiwai ma ke kuhikuhi ʻana i ka waiwai "0177.0.0.1", i ka helu decimal e pili ana me "127.0.0.1". Inā hoʻohana ʻia ka waihona pilikia, ʻaʻole ʻike ka palapala noi i ka helu 0177.0.0.1 i loko o ka subnet 127.0.0.1/8, akā ʻoiaʻiʻo, i ka wā e hoʻouna ai i kahi noi, hiki iā ia ke komo i ka helu "0177.0.0.1", kahi i hoʻohana ʻia ai. e hana ʻia nā hana pūnaewele e like me 127.0.0.1. Ma ke ala like, hiki iā ʻoe ke hoʻopunipuni i ka nānā ʻana i nā helu intranet ma ke kuhikuhi ʻana i nā waiwai e like me "012.0.0.1" (e like me "10.0.0.1").

Ma Rust, ua hoʻopilikia ʻia ka waihona maʻamau "std::net" e kekahi pilikia (CVE-2021-29922). Ua hoʻolei ka IP address parser o kēia waihona i kahi zero ma mua o nā waiwai i loko o ka helu wahi, akā inā ʻaʻole i ʻoi aku ma mua o ʻekolu mau helu i kuhikuhi ʻia, no ka laʻana, "0177.0.0.1" e ʻike ʻia he waiwai kūpono ʻole, a he hopena hewa ʻole. e hoʻihoʻi ʻia ma ka pane ʻana iā 010.8.8.8 a me 127.0.026.1. ʻO nā noi e hoʻohana ana i ka std::net::IpAddr i ka wā e hoʻokaʻawale ai i nā helu wahi i koho ʻia e ka mea hoʻohana, hiki ke maʻalahi i ka SSRF (Server-side request forgery), RFI (Remote File Inclusion) a me LFI (Local File Inclusion). Ua hoʻopaʻa ʻia ka nāwaliwali ma ka lālā Rust 1.53.0.

ʻO ka nāwaliwali i nā hale waihona puke o Rust a me Go nā ʻōlelo e hiki ai iā ʻoe ke kāpae i ka hōʻoia IP address

Ma Go, pili ka waihona waihona maʻamau "net" (CVE-2021-29923). ʻO ka net.ParseCIDR i kūkulu ʻia i loko o ka hana e lele ai i ke alakaʻi ʻana i nā zeros ma mua o nā helu octal ma mua o ka hana ʻana iā lākou. No ka laʻana, hiki i ka mea hoʻouka ke hāʻawi i ka waiwai 00000177.0.0.1, a ke nānā ʻia i ka hana net.ParseCIDR(00000177.0.0.1/24), e hoʻopaʻa ʻia ʻo 177.0.0.1/24, ʻaʻole 127.0.0.1/24. Hōʻike pū ka pilikia iā ia iho ma ke kahua Kubernetes. Hoʻopaʻa ʻia ka nāwaliwali ma Go release 1.16.3 a me beta 1.17.

ʻO ka nāwaliwali i nā hale waihona puke o Rust a me Go nā ʻōlelo e hiki ai iā ʻoe ke kāpae i ka hōʻoia IP address


Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka