CVE-2024-24787: Arbitrary Code Execution Vulnerability in Go Modules Containing CGO on Darwin with Apple's ld

A recently discovered vulnerability (CVE-2024-24787) affects Go modules containing CGO on Darwin when using the Apple version of the linker (ld). This vulnerability can be exploited to execute arbitrary code through the usage of the -lto_library flag in a "#cgo LDFLAGS" directive. In this post, we will discuss the details of this vulnerability, provide a code snippet to demonstrate the issue, and point out the original references for further information.

Exploit Details

This vulnerability allows attackers to craft a malicious Go module using CGO and exploit the -lto_library flag in combination with the Apple version of ld to build the module. This can lead to arbitrary code execution, and consequently compromise the security of the targeted system.

The root cause of this issue lies in the use of the -lto_library flag in the "#cgo LDFLAGS" directive. This flag allows specifying a different library to be used for link-time optimization (LTO), enabling the attacker to inject their own malicious library. As a result, when ld links the module, it will execute the supplied code, leading to arbitrary code execution.

Code Snippet

Below is a simplified example of a malicious Go module containing CGO code, demonstrating the usage of the -lto_library flag in a "#cgo LDFLAGS" directive to exploit the vulnerability:

package main

/*
#cgo LDFLAGS: -lto_library /path/to/malicious/library.dylib
#include <stdio.h>

void execute_malicious_code() {
    printf("Arbitrary code executed!\n");
}
*/
import "C"

func main() {
    C.execute_malicious_code()
}

In this simplified example, the attacker has created a Go module containing CGO code, and has specified a malicious library via the -lto_library flag in the #cgo LDFLAGS directive. When building this module using the Apple version of ld, the execute_malicious_code() function is linked, and the arbitrary code will be executed.

Original References

The details of this vulnerability were first disclosed in a security advisory posted on the Go programming language's Github repository. You can find the original security advisory here:

- GitHub Advisory Database - CVE-2024-24787

Mitigation

To mitigate this vulnerability, it is crucial to avoid using the Apple version of ld when building Go modules containing CGO code. Instead, use an alternative linker like the LLVM's linker (lld) to build the module. Additionally, be cautious about the use of third-party libraries and ensure the integrity of the libraries being used when building Go modules.

Conclusion

CVE-2024-24787 is a critical vulnerability that could potentially result in arbitrary code execution when building Go modules containing CGO on Darwin with the Apple version of ld. It is essential to understand the risks associated with using the -lto_library flag in the "#cgo LDFLAGS" directive and take the necessary precautions to mitigate this vulnerability. Stay tuned to the Go programming language repository for any updates and patches related to this issue.

Timeline

Published on: 05/08/2024 16:15:08 UTC
Last modified on: 07/03/2024 01:48:25 UTC