ProHoster > Blog > internet nhau > Kusagadzikana mumaraibhurari etiweki eRust uye Go mitauro iyo inokutendera kuti upfuure IP kero yekuongorora.

Kusagadzikana mumaraibhurari etiweki eRust uye Go mitauro iyo inokutendera kuti upfuure IP kero yekuongorora.

Kusadzikama kwakabatana nekusarongeka kwemakero eIP ane octal manhamba mumakero ekuparadzanisa mabasa akaonekwa mumaraibhurari akajairwa eRust uye Go mitauro. Kusadzikama kunoita kuti zvikwanise kunzvenga macheki ekero dzinoshanda mumaapplication, semuenzaniso, kuronga kuwana loopback interface kero (127.xxx) kana intranet subnets paunenge uchirwisa SSRF (Server-side application forgery). Kusagadzikana kunoenderera mberi kutenderera kwezvinetso zvakamboonekwa mumaraibhurari node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), yakavanzika-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), Data :: Validate :: IP (Perl, CVE-2021-29662) uye Net :: Netmask (Perl, CVE-2021-29424).

Zvinoenderana nerondedzero, IP kero tambo tsika dzinotanga ne zero dzinofanirwa kududzirwa senhamba dzeoctal, asi maraibhurari mazhinji haatore izvi mukufunga uye anongorasa zero, achibata kukosha senge nhamba yedesimali. Semuenzaniso, nhamba 0177 muoctal yakaenzana ne127 mudesimali. Munhu anorwisa anogona kukumbira rubatsiro nekutsanangura kukosha kwe "0177.0.0.1", iyo mudecimal notation inoenderana ne "127.0.0.1". Kana raibhurari ine dambudziko ikashandiswa, application yacho haizoone kuti kero 0177.0.0.1 iri mu subnet 127.0.0.1/8, asi kutaura zvazviri, pakutumira chikumbiro, inogona kuwana kero "0177.0.0.1", iyo iyo network mabasa achaita se 127.0.0.1. Nenzira imwecheteyo, iwe unogona kubiridzira cheki yekuwana kero ye intranet nekutsanangura kukosha se "012.0.0.1" (yakaenzana ne "10.0.0.1").

MuRust, raibhurari yakajairika "std:: net" yakakanganiswa nenyaya (CVE-2021-29922). IP kero parser yeraibhurari ino yakarasa zero pamberi pezvinokosha mukero, asi chete kana pasina manhamba anopfuura matatu akatsanangurwa, semuenzaniso, "0177.0.0.1" yaizoonekwa sehukoshi husina basa, uye mhedzisiro isiriyo yaizodzoserwa ichipindura 010.8.8.8 uye 127.0.026.1 . Zvishandiso zvinoshandisa std :: mambure::IpAddr kana uchibvisa kero dzakatarwa nemushandisi zvinogona kubatwa neSSRF (Server-side application forgery), RFI (Remote File Inclusion) uye LFI (Local File Inclusion) kurwisa. Kusagadzikana kwakagadziriswa mubazi reRust 1.53.0.

Kusagadzikana mumaraibhurari etiweki eRust uye Go mitauro iyo inokutendera kuti upfuure IP kero yekuongorora.

MuGo, raibhurari yakajairwa "net" inobatwa (CVE-2021-29923). Iyo net.ParseCIDR yakavakirwa-mukati basa inosvetuka inotungamira mazero pamberi penhamba dzeoctal pane kudzigadzirisa. Semuenzaniso, munhu anorwisa anogona kupfuudza kukosha 00000177.0.0.1, iyo, kana yatariswa munet.ParseCIDR(00000177.0.0.1/24) basa, ichapatsanurwa se 177.0.0.1/24, uye kwete 127.0.0.1/24. Dambudziko rinozviratidzawo muKubernetes papuratifomu. Kusagadzikana kwakagadziriswa muGo kuburitswa 1.16.3 uye beta 1.17.

Kusagadzikana mumaraibhurari etiweki eRust uye Go mitauro iyo inokutendera kuti upfuure IP kero yekuongorora.


Source: opennet.ru

Voeg