Netmask NPM package, used by 270k+ projects, vulnerable to octal input data

123 点作者 chha大约 4 年前

19 条评论

lucumo大约 4 年前

Some people will use this to argue against dependencies or npm, but I would argue that this vulnerability is actually a great example of why those are good things.The bug is caused by an esoteric IP address notation. Nearly everyone who would need this functionality would get the implementation wrong. In the exact same way the author of netmask did. However, netmask is now fixed and this bug will now no longer appear in any new implementation.Even better: npm will start to give warnings about this vulnerable package and will provide a fix through npm audit. Everything that is maintained in a reasonable way, will now no longer have this vulnerability.This is not a failure of dependencies or npm: this is an example why those are good things.

评论 #26621520 未加载

评论 #26621412 未加载

评论 #26621463 未加载

评论 #26621347 未加载

评论 #26621262 未加载

评论 #26622049 未加载

评论 #26621329 未加载

fanf2大约 4 年前

This bug is not NPM’s nor JavaScript’s fault. It’s mostly due to bad specifications of how IPv4 addresses are represented in text.The writeup at <a href="https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/" rel="nofollow">https://www.bleepingcomputer.com/news/security/critical-netm...</a> has a link to an informative ancient expired IETF draft <a href="https://tools.ietf.org/html/draft-main-ipaddr-text-rep" rel="nofollow">https://tools.ietf.org/html/draft-main-ipaddr-text-rep</a> which describes how things stood in 2003.A more recent and more official RFC from the IETF on the security implications of inconsistent parsers discusses the issue behind this CVE <a href="https://tools.ietf.org/html/rfc6943#section-3.1.1" rel="nofollow">https://tools.ietf.org/html/rfc6943#section-3.1.1</a>The problem is that for a very long time the IETF did not specify the textual syntax of IPv4 addresses, and the POSIX specification for parsing dotted quads is bonkers.I think it is unfortunate that they fixed the bug by aligning with inet_aton()’s ancient foolish support for octal, instead of inet_pton()’s newer strict decimal syntax, forbidding leading zeroes.

评论 #26623808 未加载

评论 #26622026 未加载

qwertox大约 4 年前

NPM scared me right from the beginning. There was so much stuff getting pulled in, that it was pretty clear that this can't be secure. This is what mostly kept me away from node.I have the same feeling about PyPI, but to a way lesser extent. Python can already do much by itself, so that the amount of packages one installs is controllable.

评论 #26622310 未加载

评论 #26621221 未加载

the_duke大约 4 年前

Tangentially related:Many companies have auditing requirements for external dependencies, with increasing strictness for more sensitive domains.It would be immensely helpful to distribute this effort.We could have a platform that pays top domain experts and security researchers for audits. Companies can get access to via a subscription model or by paying for specific dependencies.Vulnerabilities would also be reported and fixed, helping everyone, and companies benefit by having a trustworthy source for audits and save internal work.Ideally the platform would be successful enough to open up a good amount of audits publicly to benefit the whole community.Also related: cargo-crev [1] explores a concept for shared auditing and trust for Rust crates.[1] <a href="https://github.com/crev-dev/cargo-crev" rel="nofollow">https://github.com/crev-dev/cargo-crev</a>

评论 #26621787 未加载

GuidoW大约 4 年前

The problem is that the input is parsed twice.First by the netmask function that reads 0127 as 127 and the second time by the js-network stack code that reads it differently.The solution is not to change netmask to ignore leading zeros. The solution is to parse it into 4 uint8 values, validate the netblock on the numeric values and if the range is approved, generate the ip-address from your four numbers. That way you know for sure that the js-network stack is going to interpret it as you intend.There are some beautiful (horrifying) examples in this presentation: <a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf" rel="nofollow">https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-Ne...</a>

sumanthvepa大约 4 年前

A large number of packages may be using it but the actual danger posed is very much dependent on the application using the library. That's a little hard to assess.

评论 #26621859 未加载

skrebbel大约 4 年前

Sidenote: whoever thought octal notation was useful, was, well, wrong. Can we just stop supporting it entirely? I mean, how much of the internet will break if octal IPv4 addresses would stop working? Or if `010` would stop compiling in C sources except if some --enable-octal flag were supplied?

phsau大约 4 年前

Can anyone explain a scenario where this is exploitable? I don't understand how this is likely to result in SSRF, file inclusion, etc. What applications are taking user supplied IP addresses?

评论 #26621199 未加载

rwmj大约 4 年前

Isn't this good? It'll be fixed in one place, and 270k other projects will get the fix, more or less automatically? Bugs happen, I'd rather they happen this way than the code had been copied into the other projects.

评论 #26621140 未加载

评论 #26621165 未加载

richrichardsson大约 4 年前

> if byte.length > 2 and (byte[1] == 'x' or byte[1] == 'x')Am I going crazy or is the `or` clause completely pointless?

评论 #26622091 未加载

jusssi大约 4 年前

The random thing learned from the article, is that ping parses octal, and apparently also hexadecimal. So now I can do ping 0x7f.0x1 next time I want to show off.

评论 #26621312 未加载

评论 #26621371 未加载

Cthulhu_大约 4 年前

This is one reason why a company like NPM (or whoever is behind it), or really any company that hosts dependencies, should audit and verify packages and package updates.I'm sure there's businesses that would pay for a dependency provider that ensures all versions of all packages hosted there are reviewed, security checked and signed off on. With a warranty clause, so that if something like this does come out, they get compensated for damages (if actively exploited). A bug bounty should of course also be offered.A bit like Apple's app store but for libraries. Or the ideal thereof anyway. Basically a library developer can't just keep spamming updates, they would have to be more careful with what they submit.And of course, library devs would get a slice of the pie, an X amount per installation.It probably wouldn't work because people (even large enterprises who cannot afford any security issue like this) prefer free.

评论 #26621249 未加载

评论 #26621119 未加载

评论 #26621779 未加载

评论 #26621259 未加载

评论 #26621148 未加载

koolba大约 4 年前

IIUC, this is not exploitable in the more common setups where the IP address is being sourced from the inbound request. It's only an issue when the IP address itself is supplied by the user as text. Using something like the "ip" field on an inbound request would not be vulnerable.

hospadar大约 4 年前

I'm really curious - has anyone ever worked somewhere where _all_ packages are _actually_ reviewed?I'm pretty sure this really is a thing in some places (defense contractors, etc), but I'm curious if anyone's actually been exposed to a real company that really reviews everything.

评论 #26626670 未加载

toxik大约 4 年前

I feel like the proper fix is to NOT have such a versatile IP address interpretation in browsers etc.

tpetry大约 4 年前

Tldr: Leading zeros in ips are not calculated correctly. The stated „server-side request forgery, remote file inclusion, local file inclusion, and more“ issues are not within the package, these are anticipated issues when ips pass the validation which should fail...

评论 #26621310 未加载

rozab大约 4 年前

I wonder what the average dependency tree depth is for these 270k projects? How long will it take for the fix to propagate to the majority of them?

tyingq大约 4 年前

Octects can be octal, hah!

jojobas大约 4 年前

NPM was a mistake.Unvetted code essentially marketed as an extended standard library.

评论 #26621103 未加载