Recently information on vulnerabilities was released that were found in the standard libraries of the languages Rust and Go, which are related to mishandling of IP addresses with octal digits in address analysis functions.
It is mentioned that eThese vulnerabilities allow you to avoid valid address checks andn applications, for example, to organize access to loopback interface addresses or intranet subnets when server-side request spoofing attacks are performed.
The vulnerabilities in these two languages IP address strings have realization in the specification zero-based, since you are in theory they should be interpreted as octal numbers, but the problem causing these glitches is that many libraries ignore this and just discard the zero, thus they end up treating the value as a decimal number.
For example, in order to understand how IP addresses are interpreted in these failures, the number 0177 in octal is 127 in decimal and with which an attacker can request a resource specifying the value "0177.0.0.1", which, since it is not taken as octal, the decimal notation for this is "127.0.0.1".
It is because of that in the case of using one of the problematic libraries, the application will not detect the occurrence of the address 0177.0.0.1 in subnet 127.0.0.1, but in fact, when sending a request, you can call the address "0177.0.0.1" which due to misinterpretation, the network functions will process this as 127.0.0.1. Similarly, access to intranet addresses can be tricked and verified by specifying various values, which the attacker will evaluate for possible exploitation.
On the side of Rust, the problem was found to be subject to the standard library "std :: net" and which is already cataloged under "CVE-2021-29922". It describes that this library's IP address parser discards a zero in front of the values of the address, but only if no more than three digits were specified, for example, "0177.0.0.1" will be interpreted as an invalid value and an incorrect result will be returned in response.
Incorrect octal string input validation in rust-lang's standard "net" library allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that depend on rust-lang std :: net. The octets of the IP address are left stripped instead of being evaluated as valid IP addresses.
It is also mentioned that applications that use the std :: net :: IpAddr library when parsing specified addresses by the user are potentially susceptible to SSRF attacks (server-side request spoofing), RFI (remote file inclusion) and LFI (inclusion of local files). Similarly, an attacker can enter 127.0.026.1, which is actually 127.0.22
For example, an attacker who sends an IP address to a web application that is based on std :: net :: IpAddr could cause SSRF by entering octal input data; An attacker can send exploitable IP addresses if the octet has 3 digits, with the minimum exploitable octet 08 which leads to denial of service and the maximum exploitable octet 099 which also leads to denial of service.
If you want to know more about this vulnerability in Rust, you can check the details In the following link. It is also mentioned that the vulnerability was fixed in the Rust 1.53.0 branch.
As soon as to the problem that affects to Go, it is mentioned that this is subject to the standard library «net» and it is already listed under CVE-2021-29923. In the description it is mentioned that allows unauthenticated remote attackers to perform SSRF, RFI and LFI attacks indeterminate in many programs that depend on golang's built-in net.ParseCIDR function. Individual CIDR IP octets are stripped instead of evaluating them as valid IP octets.
For example, an attacker might pass the value 00000177.0.0.1, which, when checked in the net.ParseCIDR function, will be parsed as 177.0.0.1/24, not 127.0.0.1/24. The problem also manifests itself on the Kubernetes platform. The vulnerability was fixed in Go version 1.16.3 and beta version 1.17.
You can learn more about it about this vulnerability In the following link.