ProHoster > ื‘ืœื•ื’ > ื—ื“ืฉื•ืช ื‘ืื™ื ื˜ืจื ื˜ > ืคื’ื™ืขื•ืช ื‘ืกืคืจื™ื•ืช ื”ืจืฉืช ืฉืœ ืฉืคื•ืช Rust ื•-Go ื”ืžืืคืฉืจืช ืœืš ืœืขืงื•ืฃ ืืช ืื™ืžื•ืช ื›ืชื•ื‘ืช ื”-IP

ืคื’ื™ืขื•ืช ื‘ืกืคืจื™ื•ืช ื”ืจืฉืช ืฉืœ ืฉืคื•ืช Rust ื•-Go ื”ืžืืคืฉืจืช ืœืš ืœืขืงื•ืฃ ืืช ืื™ืžื•ืช ื›ืชื•ื‘ืช ื”-IP

ื ืงื•ื“ื•ืช ืชื•ืจืคื” ื”ืงืฉื•ืจื•ืช ืœืขื™ื‘ื•ื“ ืฉื’ื•ื™ ืฉืœ ื›ืชื•ื‘ื•ืช IP ืขื ืกืคืจื•ืช ืื•ืงื˜ืœื™ื•ืช ื‘ืคื•ื ืงืฆื™ื•ืช ื ื™ืชื•ื— ื›ืชื•ื‘ื•ืช ื–ื•ื”ื• ื‘ืกืคืจื™ื•ืช ื”ืกื˜ื ื“ืจื˜ื™ื•ืช ืฉืœ ืฉืคื•ืช Rust ื•-Go. ื”ืคื’ื™ืขื•ื™ื•ืช ืžืืคืฉืจื•ืช ืœืขืงื•ืฃ ื‘ื“ื™ืงื•ืช ืฉืœ ื›ืชื•ื‘ื•ืช ื—ื•ืงื™ื•ืช ื‘ื™ื™ืฉื•ืžื™ื, ืœืžืฉืœ, ื›ื“ื™ ืœืืจื’ืŸ ื’ื™ืฉื” ืœื›ืชื•ื‘ื•ืช ืžืžืฉืง loopback (127.xxx) ืื• ืจืฉืชื•ืช ืžืฉื ื” ืฉืœ ืื™ื ื˜ืจืื ื˜ ื‘ืขืช ื‘ื™ืฆื•ืข ื”ืชืงืคื•ืช SSRF (Server-side request forgery). ื”ืคื’ื™ืขื•ื™ื•ืช ืžืžืฉื™ื›ื•ืช ืืช ืžืขื’ืœ ื”ื‘ืขื™ื•ืช ืฉื–ื•ื”ื• ื‘ืขื‘ืจ ื‘ืกืคืจื™ื•ืช ืฆื•ืžืช-ืจืฉืช (JavaScript, CVE-2021-28918, CVE-2021-29418), ืคืจื˜ื™-ip (JavaScript, CVE-2020-28360), ื›ืชื•ื‘ืช ipad (Python, CVE- 2021-29921 ), Data::Validate::IP (Perl, CVE-2021-29662) ื•-Net::Netmask (Perl, CVE-2021-29424).

ืขืœ ืคื™ ื”ืžืคืจื˜, ืขืจื›ื™ ืžื—ืจื•ื–ืช ื›ืชื•ื‘ืช IP ื”ืžืชื—ื™ืœื™ื ื‘ืืคืก ืฆืจื™ื›ื™ื ืœื”ืชืคืจืฉ ื›ืžืกืคืจื™ื ืื•ืงื˜ืœื™ื™ื, ืืš ืกืคืจื™ื•ืช ืจื‘ื•ืช ืื™ื ืŸ ืœื•ืงื—ื•ืช ื–ืืช ื‘ื—ืฉื‘ื•ืŸ ื•ืคืฉื•ื˜ ืคื•ืกืœื•ืช ืืช ื”ืืคืก, ื•ืžืชื™ื™ื—ืกื•ืช ืœืขืจืš ื›ืžืกืคืจ ืขืฉืจื•ื ื™. ืœื“ื•ื’ืžื”, ื”ืžืกืคืจ 0177 ื‘ืื•ืงื˜ืืœ ืฉื•ื•ื” ืœ-127 ื‘ืขืฉืจื•ื ื™. ืชื•ืงืฃ ื™ื›ื•ืœ ืœื‘ืงืฉ ืžืฉืื‘ ืขืœ ื™ื“ื™ ืฆื™ื•ืŸ ื”ืขืจืš "0177.0.0.1", ืืฉืจ ื‘ืกื™ืžื•ืŸ ืขืฉืจื•ื ื™ ืžืชืื™ื ืœ-"127.0.0.1". ืื ื ืขืฉื” ืฉื™ืžื•ืฉ ื‘ืกืคืจื™ื™ื” ื”ื‘ืขื™ื™ืชื™ืช, ื”ืืคืœื™ืงืฆื™ื” ืœื ืชื–ื”ื” ืฉื”ื›ืชื•ื‘ืช 0177.0.0.1 ื ืžืฆืืช ื‘ืจืฉืช ื”ืžืฉื ื” 127.0.0.1/8, ืืš ืœืžืขืฉื”, ื‘ืขืช ืฉืœื™ื—ืช ื‘ืงืฉื”, ื”ื™ื ื™ื›ื•ืœื” ืœื’ืฉืช ืœื›ืชื•ื‘ืช "0177.0.0.1", ืืฉืจ ืคื•ื ืงืฆื™ื•ืช ื”ืจืฉืช ื™ืขื‘ื“ื• ื›-127.0.0.1. ื‘ืื•ืคืŸ ื“ื•ืžื”, ืืชื” ื™ื›ื•ืœ ืœืจืžื•ืช ืืช ื‘ื“ื™ืงืช ื”ื’ื™ืฉื” ืœื›ืชื•ื‘ื•ืช ืื™ื ื˜ืจืื ื˜ ืขืœ ื™ื“ื™ ืฆื™ื•ืŸ ืขืจื›ื™ื ื›ืžื• "012.0.0.1" (ืฉื•ื•ื” ืขืจืš ืœ"10.0.0.1").

ื‘-Rust, ื”ืกืคืจื™ื™ื” ื”ืกื˜ื ื“ืจื˜ื™ืช "std::net" ื”ื•ืฉืคืขื” ืžื‘ืขื™ื” (CVE-2021-29922). ืžื ืชื— ื›ืชื•ื‘ื•ืช ื”-IP ืฉืœ ืกืคืจื™ื” ื–ื• ื–ืจืง ืืคืก ืœืคื ื™ ื”ืขืจื›ื™ื ื‘ื›ืชื•ื‘ืช, ืืš ืจืง ืื ืœื ืฆื•ื™ื ื• ื™ื•ืชืจ ืžืฉืœื•ืฉ ืกืคืจื•ืช, ืœื“ื•ื’ืžื”, "0177.0.0.1" ื™ื™ืชืคืก ื›ืขืจืš ืœื ื—ื•ืงื™ ื•ืชื•ืฆืื” ืฉื’ื•ื™ื” ื™ื•ื—ื–ืจ ื‘ืชื’ื•ื‘ื” ืœ-010.8.8.8 ื•-127.0.026.1. ื™ื™ืฉื•ืžื™ื ื”ืžืฉืชืžืฉื™ื ื‘-std::net::IpAddr ื‘ืขืช ื ื™ืชื•ื— ื›ืชื•ื‘ื•ืช ืฉืฆื•ื™ื ื• ืขืœ ื™ื“ื™ ื”ืžืฉืชืžืฉ ืขืœื•ืœื•ืช ืœื”ื™ื•ืช ืจื’ื™ืฉื•ืช ืœื”ืชืงืคื•ืช SSRF (ื–ื™ื•ืฃ ื‘ืงืฉื•ืช ื‘ืฆื“ ื”ืฉืจืช), RFI (ื”ื›ืœืœืช ืงื‘ืฆื™ื ืžืจื•ื—ืง) ื•-LFI (ื”ื›ืœืœืช ืงื‘ืฆื™ื ืžืงื•ืžื™ื™ื). ื”ืคื’ื™ืขื•ืช ืชื•ืงื ื” ื‘ืกื ื™ืฃ Rust 1.53.0.

ืคื’ื™ืขื•ืช ื‘ืกืคืจื™ื•ืช ื”ืจืฉืช ืฉืœ ืฉืคื•ืช Rust ื•-Go ื”ืžืืคืฉืจืช ืœืš ืœืขืงื•ืฃ ืืช ืื™ืžื•ืช ื›ืชื•ื‘ืช ื”-IP

ื‘-Go, ื”ืกืคืจื™ื™ื” ื”ืกื˜ื ื“ืจื˜ื™ืช "net" ืžื•ืฉืคืขืช (CVE-2021-29923). ื”ืคื•ื ืงืฆื™ื” ื”ืžื•ื‘ื ื™ืช net.ParseCIDR ืžื“ืœื’ืช ืขืœ ืืคืกื™ื ืžื•ื‘ื™ืœื™ื ืœืคื ื™ ืžืกืคืจื™ื ืื•ืงื˜ืœื™ื™ื ื‘ืžืงื•ื ืœืขื‘ื“ ืื•ืชื. ืœื“ื•ื’ืžื”, ืชื•ืงืฃ ื™ื›ื•ืœ ืœื”ืขื‘ื™ืจ ืืช ื”ืขืจืš 00000177.0.0.1, ืฉื›ืืฉืจ ื”ื•ื ืžืกื•ืžืŸ ื‘ืคื•ื ืงืฆื™ื” net.ParseCIDR(00000177.0.0.1/24), ื™ื ื•ืชื— ื›-177.0.0.1/24, ื•ืœื 127.0.0.1/24. ื”ื‘ืขื™ื” ืžืชื‘ื˜ืืช ื’ื ื‘ืคืœื˜ืคื•ืจืžืช Kubernetes. ื”ืคื’ื™ืขื•ืช ืชื•ืงื ื” ื‘ื’ืจืกื” 1.16.3 ืฉืœ Go ื•ื‘ื’ืจืกืช ื‘ื˜ื 1.17.

ืคื’ื™ืขื•ืช ื‘ืกืคืจื™ื•ืช ื”ืจืฉืช ืฉืœ ืฉืคื•ืช Rust ื•-Go ื”ืžืืคืฉืจืช ืœืš ืœืขืงื•ืฃ ืืช ืื™ืžื•ืช ื›ืชื•ื‘ืช ื”-IP


ืžืงื•ืจ: OpenNet.ru

ื”ื•ืกืคืช ืชื’ื•ื‘ื”