Hey there!

I've recently came across a Go application with an arbitrary file write 
vulnerability restricted to `/proc/self`. After researching for a little, 
I've found the following article which exploits such a vulnerability in a 
NodeJS application, escalating it into remote code execution by using 
anonymous pipes for control messages of the language runtime. [^1]

I wondered whether Go is susceptible to the same attacks, as it also 
utilizes anonymous pipes, and checked what is sent into the pipes by a 
benign exemplary Go application:

```
166301 epoll_create1(EPOLL_CLOEXEC <unfinished ...> 166301 <... 
epoll_create1 resumed>) = 3<anon_inode:[eventpoll]> 166301 
epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 4<pipe:[591683]>, 
{events=EPOLLIN, data={u32=11354728, u64=11354728}}) = 0 166307 
epoll_pwait(3<anon_inode:[eventpoll]>, <unfinished ...> 166301 
epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 
7</proc/sys/net/core/somaxconn>, 
{events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688, 
u64=124595967125352}}) = 0 166301 epoll_ctl(3<anon_inode:[eventpoll]>, 
EPOLL_CTL_ADD, 6<socket:[591684]>, 
{events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688, 
u64=124595967125352}}) = 0
```
Values like `124595967125352 (0x7151c25c6768)` look like pointers, which 
generally look interesting depending on what the runtime does with them.

I quickly skimmed the source code to find the relevant handlers, but to no 
success.
Can anyone point me into the right direction here, or did someone even 
analyze the security of these anon pipes before?

Best,
Moritz

[^1]: 
https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/c3144b53-675e-4d9e-be77-6285ff60509cn%40googlegroups.com.

Reply via email to