A critical vulnerability dubbed CVE-2023-29405 has been recently discovered in the Go programming language's command "go". The vulnerability allows for the execution of arbitrary code at build time when using the cgo tool. This may occur when running "go get" on a malicious module, or when running any other command which may be building untrusted code. The flaw can be triggered by linker flags, specified via a "#cgo LDFLAGS" directive, and it only affects usage of the gccgo compiler.

Exploit Details

The vulnerability stems from the mishandling of flags containing embedded spaces, which allows disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. For instance, consider the following code snippet:

// #cgo LDFLAGS: -Wl,--wrap=hidden_function -lmalicious_library
/*
#include <stdio.h>
void hidden_function() {
    // Execute arbitrary code
    printf("Hidden function called\n");
}
*/
import "C"

In this example, the -Wl,--wrap=hidden_function flag wraps the "hidden_function" symbol, allowing the malicious library to use "hidden_function" as an entry point for executing arbitrary code.

Google's Security Report

Users are advised to upgrade their Go compiler to the latest version from the official website

Go Download Page

In addition, users can take the following precautions to help protect themselves from exploitation

1. When using cgo with untrusted code, review the #cgo LDFLAGS directives for any suspicious linker flags.

Conclusion

The discovery of CVE-2023-29405 highlights the potential risk associated with using the "go" command in the Go programming language. It is essential for users to stay informed about security vulnerabilities and apply relevant patches and best practices to minimize exposure. While the Go team has patched this vulnerability in the recent releases, users must remain vigilant of potential risks and take appropriate measures to safeguard their systems and applications.

Timeline

Published on: 06/08/2023 21:15:00 UTC
Last modified on: 06/16/2023 13:15:00 UTC