top | item 38613526

(no title)

jonnytran | 2 years ago

The same author has a post from 2022 [1].

> Is it possible to achieve arbitrary code execution on any Go version, even with PIE, and with no package import at all, just builtins? Yes!

Whether it's capture the flag is irrelevant, IMO, because anything that's allowed by the compiler will emerge given enough complexity.

1: https://blog.stalkr.net/2022/01/universal-go-exploit-using-d...

discuss

blincoln|2 years ago

Wow, that's super interesting. As you say, it's a contrived CTF example, but I'm pretty shocked that it's possible to read and write arbitrary process memory without importing any packages (especially unsafe, of course).

I'm also surprised that a fix has been theorized at least as far back as 2010[1], but not implemented. Is adding one layer of internal pointer redirection for interfaces, slices, and strings really that much of a performance concern?

[1] https://research.swtch.com/gorace

Thaxll|2 years ago

Go was released in 2009 and I've never heard about any exploit and what not , by the way this is known and by design it's not new. It's all about the multi word for interface.

I mean if in 14 years there was nothing it's a proof that it's not an issue.

Even the attacker ack that it's not a threat.

"As said before, while a fun exercise it's pretty useless in the current Go threat mode"

mikrotikker|2 years ago

How long was openvpn in use before we discovered heartbleed?

Or bash before shellshock