YsummarY, use Tab ↹, Return/Enter and go back (⌘ + ←) to navigate.

Do you know this common Go vulnerability?

YouTube Video

This YouTube video discusses a Capture The Flag (CTF) challenge involving a Go web application with a unique architecture: a frontend communicating with a backend via Unix domain sockets, creating a separate backend process for each session. The speaker initially missed the vulnerability due to this unusual setup, focusing on potential issues with the socket or execution.

The vulnerability was a Go race condition. The challenge’s checkpath function, which prevents reading flag.txt, uses an error variable that’s only assigned (not declared) within the handler. Because multiple requests can run concurrently, another request could reset the error variable to nil after checkpath had set it, allowing the read to succeed. This was exacerbated by the separate backend processes per session, preventing race conditions between different teams.

Key takeaways:

  • Unusual Architecture: The CTF challenge’s architecture, using a frontend and backend communicating through Unix domain sockets and creating a new backend for each session, initially misled the speaker and was a key part of the vulnerability.
  • Go Race Condition: The core vulnerability was a race condition stemming from improper declaration and assignment of the error variable within a concurrent Go function. The lack of explicit declaration led to variable shadowing, allowing concurrent requests to overwrite the error state.
  • Shadowed Variables: The speaker highlights the importance of understanding variable shadowing in Go, especially when debugging concurrent code. Tools like VS Code’s debugger can help identify these situations.
  • Proc File System Exploitation: While not the intended solution, the team successfully exploited the /proc filesystem to read the flag file via another process’s file descriptor, bypassing the checkpath function’s restrictions. This was deemed acceptable by the CTF organizers.
  • Intended Solution: The intended solution was exploiting the race condition by concurrently sending requests that set the error variable to nil while attempting to read the flag file.
  • Lesson Learned: The speaker emphasizes the importance of understanding Go’s concurrency features and paying close attention to variable declaration and assignment, especially with error handling, when working with concurrent code.

The video also promotes the speaker’s online training platform, hex.io, specifically highlighting their Android application security course sponsored by Google.

Next: Why No One Wants A Promotion
Prev: European Finance Minister Reveals Truth About Ukraine and Future of Europe