Kwanan nan an bayar da bayanai game da raunin da ya faru waɗanda aka samo a cikin ɗakunan karatu na daidaitattun harsuna Rust da Go, waxanda suke dangane da rashin sarrafa adireshin IP tare da lambobi octal a cikin ayyukan bincike na adireshi.
An ambaci cewa eWaɗannan lahani suna ba ku damar guje wa tabbatar da ingantattun adireshi dan aikace-aikace, alal misali, don tsara samun dama ga adireshin keɓaɓɓiyar madaidaiciya ko ƙaramin saiti na intanet lokacin da ake buƙatar kai hare-hare.
Ƙalubalen a cikin waɗannan harsuna biyu Adireshin adireshin IP suna da fahimta a cikin ƙayyadaddun bayanai zero-based, tunda kai ne a ka'idar yakamata a fassara su azaman lambobin octal, amma matsalar da ke haifar da wannan glitches shine ɗakunan karatu da yawa ba sa la'akari da wannan kuma kawai zubar da sifili, ta haka sun ƙare ɗaukar darajar azaman adadi.
Misali, don fahimtar yadda ake fassarar adiresoshin IP a cikin waɗannan kwari, lambar 0177 a cikin octal shine 127 a cikin adadi kuma wanda maharin zai iya neman albarkatun da ke bayyana ƙimar "0177.0.0.1", wanda, tunda ba a karɓa ba azaman octal, ƙididdigar ƙima don wannan shine "127.0.0.1".
Abin da ya sa kenan idan aka yi amfani da ɗayan ɗakunan karatu masu matsala, aikace -aikacen ba zai gano faruwar adireshin ba 0177.0.0.1. Hakanan, samun damar adireshin intranet za a iya yaudarar da tabbatarwa ta hanyar tantance ƙimomi daban -daban, wanda maharin zai kimanta don yuwuwar amfani.
A gefen Rust, an gano matsalar tana ƙarƙashin daidaitaccen ɗakin karatu "std :: net" kuma wanda aka riga aka lissafa shi ƙarƙashin "CVE-2021-29922". Ya bayyana hakan mai tantance adireshin IP na wannan ɗakin karatu yana zubar da sifili a gaban ƙimar na adireshin, amma idan ba a bayyana takamaiman lambobi uku ba, misali, "0177.0.0.1" za a fassara shi a matsayin ƙima mara inganci kuma za a mayar da sakamako mara kyau a cikin martani.
Ingancin shigar da madaidaicin sautin octal a cikin ɗakunan karatu na "net" na tsatsa-lang yana ba da damar maharan nesa da ba a tabbatar da su ba don aiwatar da hare-haren SSRF, RFI, da LFI mara iyaka akan shirye-shiryen da yawa waɗanda suka dogara da tsatsa-lang std :: net. Ana barin octets na adireshin IP ɗin maimakon a tantance su azaman adiresoshin IP masu inganci.
Hakanan an ambaci cewa aikace -aikacen da ke amfani da ɗakin karatu na std :: net :: IpAddr lokacin tantance adiresoshin da aka kayyade ta mai amfani suna da saukin kamuwa da hare -haren SSRF (buƙatar buƙatar uwar garke), RFI (hada fayil ɗin nesa) da BIA (hada fayilolin gida). Hakanan, maharin zai iya shiga 127.0.026.1, wanda a zahiri shine 127.0.22
Misali, maharin da ya aika adireshin IP zuwa aikace -aikacen gidan yanar gizo wanda ke kan std :: net :: IpAddr na iya haifar da SSRF ta shigar da bayanan shigar da octal; Mai kai hari zai iya aika adiresoshin IP masu amfani idan octet yana da lambobi 3, tare da ƙaramin octet 08 mai amfani wanda ke haifar da ƙi sabis da matsakaicin octet 099 wanda kuma ke haifar da ƙi sabis.
Idan kuna son ƙarin sani game da wannan rauni a cikin Rust, zaku iya duba cikakkun bayanai A cikin mahaɗin mai zuwa. Hakanan an ambaci cewa an daidaita yanayin rauni a cikin reshen Rust 1.53.0.
Da zaran ga matsalar da ta shafi don Go, an ambaci cewa wannan yana ƙarƙashin daidaitaccen ɗakin karatu "net" kuma an riga an jera shi ƙarƙashin CVE-2021-29923. A cikin bayanin an ambaci cewa yana ba da damar maharan nesa da ba a tantance su ba don aiwatar da hare -haren SSRF, RFI da LFI rashin tabbaci a cikin shirye-shirye da yawa waɗanda suka dogara da golang's ginanniyar net.ParseCIDR aiki. An cire octets IP na CIDR na mutum ɗaya maimakon a tantance su azaman ingantattun octets na IP.
Misali, maharin na iya wuce ƙimar 00000177.0.0.1, wanda, lokacin da aka bincika cikin aikin net.ParseCIDR, za a tantance shi azaman 177.0.0.1/24, ba 127.0.0.1/24 ba. Matsalar kuma tana bayyana kanta akan dandalin Kubernetes. An daidaita yanayin rauni a cikin sigar Go 1.16.3 da sigar beta 1.17.
Kuna iya ƙarin koyo game da shi akan wannan raunin A cikin mahaɗin mai zuwa.