fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Fixes Severe Golang Windows RCE Vulnerability

Google Fixes Severe Golang Windows RCE Vulnerability

This month Google engineers have fixed a severe remote code execution (RCE) vulnerability in the Go language (Golang).

The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.

RCE from PATH lookups in untrusted directories

Recently, Japan-based security researcher RyotaK discovered a command injection vulnerability in the Golang project.

The vulnerability, tracked as CVE-2021-3115, stems from how the compile process works when a user runs the “go get” command to fetch a repository.

Generally, on Windows systems, an OS shell command ran by the user or a program causes the shell to search for the binary/executable associated with that command within the current directory first, followed by a list of directories specified in the system PATH variable.

For example, if you type netstat in a Windows command prompt, Windows would first look around for a netstat.exe, netstat.bat, or another netstat.* executable in the current directory (see screenshot below) which would get priority and be executed.

Also Read: How a Smart Contract Audit Works and Why it is Important

Testing Windows PATH lookup
Typing netstat in Windows command prompt, but not PowerShell, runs the locally present netstat.bat rather than the system utility
Source: BleepingComputer

Should no netstat exist in the current folder, only then would the Windows shell look for the netstat system utility, the location of which exists on the Windows %PATH% variable. 

Due to security risks associated with this behavior, both the Unix shell and Windows PowerShell had earlier dropped this default behavior and began prioritizing the %PATH% variable locations over the untrusted current directory, when executing commands.

This means, running netstat in PowerShell would launch the netstat system utility and not the locally present netstat.bat since PoweShell prioritizes looking up the binary by that name in the %PATH% directories.

However, for consistency, Golang binariesimitate Unix rules on Unix systems, and Windows rules on Windows.

This means, running the following Go command would produce slightly different behaviors on Unix and Windows systems.

out, err := exec.Command("go", "version").CombinedOutput()

This Golang line is the equivalent of running the go version OS shell command.

On Windows, a locally present go binary would get priority, whereas Unix systems would first search its $PATH variable to see if a go binary exists in one of the trusted locations.

This model of prioritizing the local, untrusted directory over PATH locations is also implemented by helper libraries and compilers included within Go, such as cgo, a utility designed to generate Go packages that call C code. 

When cgo is compiling C code on Windows, eventually, the Golang executable searches for the GCCcompiler within the (untrusted) local directory first.

“When go get downloads and builds a package that contains import “C”, it runs a program called cgo to prepare the Go equivalent of the relevant C code.”

“The go command runs cgo in the directory containing the package sources,” explains Google engineer Russ Cox.

Although most of these calls happen in a safe manner, the GCC compiler is invoked by Go’s exec.Command function which, on Windows, makes it possible for Go to launch a malicious gcc.exe included by the attacker within their application sources, rather than the legitimate GCC compiler.

It may seem like this mishap could have been caught and prevented by multiple intermediary compilers and libraries that are invoked (such as cgo or gcc), but Golang project took responsibility for the bug and issued a fix.

“Today’s bug, however, was entirely our fault, not a bug or obscure feature of gcc or git.”

“The bug involves how Go and other programs find other executables, so we need to spend a little time looking at that before we can get to the details,” says Cox.

Researcher inspired by an earlier critical vulnerability

BleepingComputer reached out to RyotaK to learn more about how he had discovered this vulnerability.

It turns out, reading about a critical command injection vulnerability in Git LFS, CVE-2020-27955, is what had inspired the researcher to hunt for a similar flaw in Golang itself.

“I found this vulnerability because of CVE-2020-27955. It was a remote code execution in Git LFS, which is caused by insecure file execution.”

“While checking the technical details of [the bug], I thought like ‘Can this vulnerability be affected to official Go project?'”

“And then, I started to read repositories that belong to the golang organization. Shortly after that, I found this vulnerability with some other vulnerabilities that have the same root cause.”

“Since this vulnerability could allow the execution of arbitrary code while building the malicious code on Windows, it may affect systems that expect Go not to execute arbitrary code at build time,” RyotaK told BleepingComputer in an email interview.

For a remote attacker to exploit this vulnerability, however, a user needs to run the go get command against a malicious repository.

“It requires some interaction by the victim; they need to run ‘go get’ against the malicious repository,” the researcher further told BleepingComputer.

The Golang team at Google has fixed the vulnerability and users are advised to upgrade their instances.

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

Users can upgrade to the recently released Go versions 1.14.14 (for 1.14.x and earlier), and 1.15.7 (for users of 1.15.x) to mitigate this vulnerability.

Additionally, Google developers have also released a patch for a cryptographic flaw, CVE-2021-3114, reported by Philippe Antoine of Catena cyber in the same releases.

The upcoming Go 1.16rc1 release is also expected to include fixes for both CVE-2021-3114 and CVE-2021-3115.

Thanks to any.run for Windows VM access.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us