Vulnerability in network libraries of RUST and GO languages, allowing to bypass IP addresses

In standard bibli-language languages ​​RUST and GO detected Vulnerability related to incorrect processing of IP addresses with octal numbers in parsing functions addresses. Vulnerability allows you to bypass verifiable addresses in applications, for example, to organize access to the LOOPBACK interface addresses (127.x.x.x.x) or intranet subnets when performing SSRF (Server-Side Request Forgery) attacks. Vulnerabilities continue cycle problems previously identified in Node-Netmask libraries (JavaScript, CVE-2021-28918, CVE-2021-29418), Private-IP (JavaScript, CVE-2020-28360), iPaddress (Python, CVE-2021-29921 ), Data :: Validate :: IP (Perl, CVE-2021-29662) and Net :: Netmask (Perl, CVE-2021-29424).

In accordance with specification string values ​​of IP addresses starting with zero , Must be interpreted as octal numbers, but many libraries do not take into account this feature and simply discard zero, processing the value as a decimal number. For example, the number 0177 in octal is 127 decimal. An attacker can request a resource by specifying the value “0177.0.0.1”, which in the decimal representation corresponds to “127.0.0.1”. In the case of using a problem library, the application will not determine the address of the address in subnets 127.0.0.1/8, but in fact, when sending a query uses the address “0177.0.0.1”, corresponding to 127.0.0.1.
Similarly, you can cheat and check handling intranet address specified values ​​like “012.0.0.1” (equivalent to “10.0.0.1”).

In the RUST problem It turned out to be exposed Standard Library “STD :: NET” (cve-2021-29922 ). Parser IP-address given library cast zero before the values ​​of the address, but only if given no more than three digits, i.e. “0177.0.0.1” will be perceived as an invalid value, and in response to 010.8.8.8 and 127.0.026.1, the wrong result will be returned. Applications using STD :: NET :: iPaddr When analyzing the address specified addresses, potentially exposed to attacks SSRF (Server-Side Request forgery), RFI (Remote File Inclusion) and LFI (Local File Inclusion). Vulnerability is eliminated in the Rust 1.53.0 branch.


In GO language, the problem ​​is subject to Standard Library “NET” ( CVE-2021-29923

/Media reports.