Hey there! I've recently came across a Go application with an arbitrary file write vulnerability restricted to `/proc/self`. After researching for a little, I've found the following article which exploits such a vulnerability in a NodeJS application, escalating it into remote code execution by using anonymous pipes for control messages of the language runtime. [^1]
I wondered whether Go is susceptible to the same attacks, as it also utilizes anonymous pipes, and checked what is sent into the pipes by a benign exemplary Go application: ``` 166301 epoll_create1(EPOLL_CLOEXEC <unfinished ...> 166301 <... epoll_create1 resumed>) = 3<anon_inode:[eventpoll]> 166301 epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 4<pipe:[591683]>, {events=EPOLLIN, data={u32=11354728, u64=11354728}}) = 0 166307 epoll_pwait(3<anon_inode:[eventpoll]>, <unfinished ...> 166301 epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 7</proc/sys/net/core/somaxconn>, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688, u64=124595967125352}}) = 0 166301 epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 6<socket:[591684]>, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688, u64=124595967125352}}) = 0 ``` Values like `124595967125352 (0x7151c25c6768)` look like pointers, which generally look interesting depending on what the runtime does with them. I quickly skimmed the source code to find the relevant handlers, but to no success. Can anyone point me into the right direction here, or did someone even analyze the security of these anon pipes before? Best, Moritz [^1]: https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/ -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/c3144b53-675e-4d9e-be77-6285ff60509cn%40googlegroups.com.