Well, to be fair, if you don't want your binaries exploited, don't write the exploit into them. I can't see a case where this could be used, unless you're letting people execute arbitrary code on your system, in which case you're screwed anyway.
> Well, to be fair, if you don't want your binaries exploited, don't write the exploit into them.
That's a bit naive and not the point of this PoC. The exploit used a bug in the code generator. Normally, guard code would have been generated that would have caught that issue, but it just wasn't, and that's why the exploit worked.
So in theory, every program with that particular programming bug and the missing guard code (due to the code generator bug) is vulnerable.
"Never ascribe to malice that which is adequately explained by incompetence"
Imagine a programmer has a shitty day, lacks concentration, and adds code like this to his internet-facing server app:
type Embedded struct {
offset [0x400100]byte
address uint32
}
type Struct struct {
*Embedded
bar int
}
var instance Struct
Later in the code, he forgets to initialize instance.Embedded.
When handling an HTTP request that comes from the internet, instance.Embedded.address is filled from a GET parameter. Et voila, anyone who can do a GET request can overwrite memory, possibly leading to code execution.
The bug in the code was unintentional, because programmers (like all humans) make mistakes, the HTTP request was intentional (it was done by the attacker), and the exploit worked because of a bug in the code generation.
Ah, okay. I think this particular exploit falls a bit too far into the "you have to work to make it useful" spectrum (the "offset [0x400100]byte" part), but I see how it might be exploitable, thanks.
It's also worth remembering that a complete exploit can often compose numerous "small" vulnerabilities into the realized breach. As such, it's easy to discount a seemingly hard-to-exploit vulnerability until you see it in action. It may be used in concert with other weaknesses or "widened" by an unforeseen technique.
As a specific example, check out the two-part wrap-up of the Pwnium browser hacking competition[1] [2]. It's a great illustration of chaining weaknesses together to achieve a desired exploit.
Hmm, I must be missing something. This isn't a normal binary that can be exploited by a malicious user. This is a binary that exploits the compiler to write to memory to places it shouldn't.
This can only happen if the developer is malicious relatively to the compiler. Since you're the developer, and you're trying to avoid this exploit happening to you, there's no need to worry: Just don't perform the exploit.
It sounds to me like you're saying "we need to have more research so I can avoid exploiting the Go compiler".
Yes, you missed the part where I said this that was a generalised comment and that I'm aware this specific attack isn't a practical real-world vulnerability.
What you're doing is that typical thing that people do online when they're so busy trying to assert their intellectual superiority that you completely miss the point that was being raised.
