Hey there!
I've recently came across a Go application with an arbitrary file write
vulnerability restricted to `/proc/self`. After researching for a little,
I've found the following article which exploits such a vulnerability in a
NodeJS application, escalating it into remote code execution by using
anonymous pipes for control messages of the language runtime. [^1]
I wondered whether Go is susceptible to the same attacks, as it also
utilizes anonymous pipes, and checked what is sent into the pipes by a
benign exemplary Go application:
```
166301 epoll_create1(EPOLL_CLOEXEC <unfinished ...> 166301 <...
epoll_create1 resumed>) = 3<anon_inode:[eventpoll]> 166301
epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 4<pipe:[591683]>,
{events=EPOLLIN, data={u32=11354728, u64=11354728}}) = 0 166307
epoll_pwait(3<anon_inode:[eventpoll]>, <unfinished ...> 166301
epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD,
7</proc/sys/net/core/somaxconn>,
{events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688,
u64=124595967125352}}) = 0 166301 epoll_ctl(3<anon_inode:[eventpoll]>,
EPOLL_CTL_ADD, 6<socket:[591684]>,
{events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688,
u64=124595967125352}}) = 0
```
Values like `124595967125352 (0x7151c25c6768)` look like pointers, which
generally look interesting depending on what the runtime does with them.
I quickly skimmed the source code to find the relevant handlers, but to no
success.
Can anyone point me into the right direction here, or did someone even
analyze the security of these anon pipes before?
Best,
Moritz
[^1]:
https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/c3144b53-675e-4d9e-be77-6285ff60509cn%40googlegroups.com.
