On Thu, Jan 9, 2025 at 9:16 AM Moritz Sanft <greek...@gmail.com> wrote:
>
> I've recently came across a Go application with an arbitrary file write
> vulnerability restricted to `/proc/self`. After researching for a little,
> I've found the following article which exploits such a vulnerability in a
> NodeJS application, escalating it into remote code execution by using
> anonymous pipes for control messages of the language runtime. [^1]
>
> I wondered whether Go is susceptible to the same attacks, as it also utilizes
> anonymous pipes, and checked what is sent into the pipes by a benign
> exemplary Go application:
>
> ```
> 166301 epoll_create1(EPOLL_CLOEXEC <unfinished ...> 166301 <... epoll_create1
> resumed>) = 3<anon_inode:[eventpoll]> 166301
> epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 4<pipe:[591683]>,
> {events=EPOLLIN, data={u32=11354728, u64=11354728}}) = 0 166307
> epoll_pwait(3<anon_inode:[eventpoll]>, <unfinished ...> 166301
> epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD,
> 7</proc/sys/net/core/somaxconn>, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET,
> data={u32=3260835688, u64=124595967125352}}) = 0 166301
> epoll_ctl(3<anon_inode:[eventpoll]>, EPOLL_CTL_ADD, 6<socket:[591684]>,
> {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3260835688,
> u64=124595967125352}}) = 0
> ```
> Values like `124595967125352 (0x7151c25c6768)` look like pointers, which
> generally look interesting depending on what the runtime does with them.
>
> I quickly skimmed the source code to find the relevant handlers, but to no
> success.
> Can anyone point me into the right direction here, or did someone even
> analyze the security of these anon pipes before?
Interesting vulnerability.
An arbitrary Go program can of course create anonymous pipes and use
them however it likes, which may possibly introduce a vulnerability in
some cases. I assume that your question is specifically about using
anonymous pipes in the Go runtime and standard library.
On macOS the Go runtime uses an anonymous pipe to wake up the thread
that manages the queue of incoming signals. The value sent on the pipe
is ignored so I don't see a security issue here (other than a possible
denial of service attack, but arbitrary file writes probably permit
that in other ways).
On NetBSD, OpenBSD, and AIX the Go runtime uses an anonymous pipe to
wake up the network poller when a newer timer is scheduled. Again the
value on the pipe is ignored.
I don't think there is any other use of anonymous pipes.
The pointers you show as the data of EPOLL_CTL_ADD, presumably on
Linux, are internal pointers that are passed into epoll and returned
from epoll. They are not sent on the network or received from the
network. They are used so that when some operation occurs on a file
descriptor the runtime poller knows what to do. These are not
anonymous pipes, and I don't see any vulnerability there.
So I don't see any security issue here for Go in general. Of course it
would be interesting to learn otherwise. If somebody sees a security
problem, please see https://go.dev/security for a safe way to report
it.
Ian
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/CAOyqgcUmebkAB5BcgmWedWNbo87Oi_Qji7%2BTY1aEUeXCoZRf4g%40mail.gmail.com.
