Bathola ubungozi emitatsheni yolwazi yenethiwekhi yeRust and Go kuvimbela ukuqinisekiswa kwe-IP

Muva nje kukhishwe imininingwane ngobungozi ezitholakale emitatsheni yolimi esezingeni lezilimi Ukugqwala uhambe, okuyizinto okuhlobene nokuphathwa kabi kwamakheli e-IP ngamadijithi e-octal emisebenzini yokuhlaziya ikheli.

Kushiwo ukuthi eLokhu kuba sengozini kukuvumela ukuthi ugweme ukuqinisekiswa kwamakheli avumelekile futhin, ngokwesibonelo, ukuhlela ukufinyelela kumakheli we-loopback interface noma ama-subnet we-intranet lapho kwenziwa ukuhlaselwa kwesicelo se-server-side spoofing.

Ukuba sengozini kulezi zilimi ezimbili Izintambo zekheli le-IP ziyabonakala ekucacisweni zero-based, ngoba ukhona ngombono kufanele zihunyushwe njengezinombolo ze-octal, kepha inkinga ebangela le glitches ukuthi imitapo yolwazi eminingi iyakushaya indiva lokhu bese ilahla uziro, ngakho-ke bagcina bephatha inani njengenombolo yedesimali.

Isibonelo, ukuze uqonde ukuthi amakheli e-IP ahunyushwa kanjani kulezi zinambuzane, inombolo engu-0177 ku-octal ingu-127 enedesimali futhi umhlaseli angacela ngalo insiza ecacisa inani "0177.0.0.1", okuthi, njengoba ingathathwanga njengo-octal, ukubhalwa kwedesimali kwalokhu yi- "127.0.0.1".

Kungakho esimweni sokusebenzisa omunye wemitapo yolwazi oyinkinga, isicelo ngeke sithole ukuvela kwekheli 0177.0.0.1 ku-subnet 127.0.0.1, kepha empeleni, lapho kuthunyelwa isicelo, ikheli elithi "0177.0.0.1" lingabizwa okuthi ngenxa yokuhumusha kabi, imisebenzi yenethiwekhi izocubungula lokhu njengo-127.0.0.1. Ngokufanayo, ukufinyelela amakheli e-intranet kungakhohliswa futhi kuqinisekiswe ngokucacisa amanani ahlukahlukene, umhlaseli azowahlola ukuthi angaxhashazwa yini.

Ngakolunye uhlangothi Rust, inkinga kutholakale ukuthi ingaphansi komtapo wolwazi ojwayelekile "std :: net" futhi esivele ikhathalogi ngaphansi kwe- "CVE-2021-29922". Kuchaza lokho isihloli sekheli le-IP lalabhulali lilahla uziro phambi kwamanani yekheli, kodwa kuphela uma kungacaciswanga amadijithi angaphezu kwamathathu, ngokwesibonelo, "0177.0.0.1" izotolikwa njengenani elingavumelekile futhi umphumela ongalungile uzobuyiselwa ngokuphendula.

Ukuqinisekisa okokufaka kwentambo okungalungile emtapweni wolwazi we-rust-lang standard "net" kuvumela abahlaseli abangaqinisekisiwe ukuthi benze ukuhlaselwa okungapheli kwe-SSRF, i-RFI, ne-LFI ezinhlelweni eziningi ezincike ku-rust-lang std :: net. Ama-octet ekheli le-IP ashiywa ehlutshiwe esikhundleni sokuhlolwa njengamakheli we-IP avumelekile.

Kukhulunywa futhi ngezicelo ezisebenzisa i-std :: net :: IpAddr library lapho kuhlaziywa amakheli acacisiwe ngomsebenzisi zisengozini yokuhlaselwa yi-SSRF (i-server-side application spoofing), RFI (ukufakwa kwefayela elikude) kanye ne- BIA (ukufakwa kwamafayela endawo). Ngokufanayo, umhlaseli angangena ku-127.0.026.1, empeleni eyi-127.0.22

Isibonelo, umhlaseli othumela ikheli le-IP kuhlelo lokusebenza lewebhu olususelwe ku-std :: net :: IpAddr angadala i-SSRF ngokufaka idatha yokufaka ye-octal; Umhlaseli angathumela amakheli e-IP asetshenziswayo uma i-octet inamadijithi ama-3, ne-octet 08 esetshenziswayo ephansi eholela ekwenqabeni insizakalo kanye ne-octet 099 esetshenziswayo ephezulu nayo eholela ekwenqabelweni kwensizakalo. 

Uma ufuna ukwazi kabanzi ngalokhu kuba sengozini kuRust, ungabheka imininingwane Kulesi sixhumanisi esilandelayo. Kubuye kushiwo ukuthi ukuba sengozini kulungiswe egatsheni leRust 1.53.0.

Ngokushesha uma enkingeni ethinta ukuya ku-Go, kushiwo ukuthi lokhu kungaphansi kwelabhulali ejwayelekile «net» futhi selivele selisohlwini lwe-CVE-2021-29923. Encazelweni kushiwo lokho ivumela abahlaseli bakude abangaqinisekisiwe ukuthi benze ukuhlaselwa kwe-SSRF, i-RFI ne-LFI ayinqunyelwe ezinhlelweni eziningi ezincike kumsebenzi owakhelwe ngaphakathi we-golang. Ama-octet we-CIDR we-IP ngamanye ahlutshiwe esikhundleni sokuwahlola njengama-octet we-IP avumelekile.

Isibonelo, umhlaseli angadlulisa inani 00000177.0.0.1, okuthi uma lihlolwe kwinetha.ParseCIDR function, lizohlukaniswa njengo-177.0.0.1/24, hhayi u-127.0.0.1/24. Inkinga ibuye iziveze emsamo weKubernetes. Ukuba sengozini kulungiswe ku-Go version 1.16.3 naku-beta version 1.17.

Ungafunda kabanzi ngayo mayelana nalokhu kuba sengozini Kulesi sixhumanisi esilandelayo.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.