[Go]: Query To Detect Denial Of Service Vulnerability

Question

[Go]: Query To Detect Denial Of Service Vulnerability

Closed this issue 9 months ago · 9 comments

Malayke commented a year ago

Query PR

github/codeql#15130

Language

GoLang

CVE(s) ID list

CVE-2023-37279 new CVE I find by this query
CVE-2023-2253 original CVE I write query to detect

CWE

CWE-770

Report

What is the vulnerability?

The vulnerability in Go occurs when the built-in make function is used to create slices from user-controlled sources with a maliciously large value. This can lead to excessive memory allocation and potentially result in a denial of service attack. By providing inputs that exceed the expected memory and capacity constraints, attackers can overwhelm the system and cause it to become unresponsive.

How does the vulnerability work?

The vulnerability arises when the make function is used to create slices from user-controlled sources with a size parameter that exceeds a certain threshold. This triggers excessive memory allocation, which can lead to a denial of service. Attackers exploit this vulnerability by providing inputs that go beyond the intended boundaries, overwhelming the system and rendering it unresponsive.

What strategy do you use in your query to find the vulnerability?

The query searches for code patterns where the make function is used to create slices from user-controlled sources. It then checks if the provided size exceeds a specific threshold, indicating a potential vulnerability.

How have you reduced the number of false positives?

To minimize false positives, the query includes specific criteria that exclude potential false positives. It verifies if a size comparison has been applied to the second parameter passed to the make function. This helps differentiate between legitimate instances and potentially vulnerable ones.

Other information?

To reproduce the vulnerability, follow these steps:

Clone the repository: git clone https://github.com/distribution/distribution
Checkout the specific branch: git checkout -b v2.8.2-beta.1
Generate the database.
Run the query to identify potential vulnerabilities in the codebase.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

Answer 1 · 2023-12-18T13:29:00.000Z

Hello @Malayke 👋 could you provide a CodeQL database with the vulnerable version of the codebase, which contains the CVE?

Answer 2 · 2023-12-18T13:38:32.000Z

Hi @sylwia-budzynska , this is the CodeQL database link of https://github.com/distribution/distribution vulnerable version

Answer 3 · 2023-12-18T16:32:39.000Z

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 4 · 2024-03-06T11:34:15.000Z

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 5 · 2024-03-06T17:48:05.000Z

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 6 · 2024-03-06T17:48:20.000Z

Hi @Malayke can you please provide a public email address, or send one to me privately?

Answer 7 · 2024-03-07T09:27:10.000Z

Hi @xcorail I've already sent an email to your GitHub email address.

Answer 8 · 2024-03-07T17:28:57.000Z

Created Hackerone report 2407167 for bounty 557823 : [809] [Go]: Query To Detect Denial Of Service Vulnerability

Answer 9 · 2024-03-07T17:29:15.000Z

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed