Security researchers have pointed to a security risk in the resolution of IP addresses in the Python Library iPaddress. The library is used to process IPv4 and IPv6 addresses and, among other things, provides convenient functions for generating address objects from strings. But it ignores leading zeros as marking that the address is specified as the octal number.
The researchers had pointed to the same problem in the NetMask NPM package, which is now available in an updated version, which evaluates octal numbers correctly. There is no patch for the Python library. Initially, the in Python 3.3 Enforced library entries still checked for potential octal numbers. Also in the documentation finds up a reference to the exam.
Unable, but uncertain
Although the Library had also not converted the values with a leading zero, but due to the uncertainty a mistake. In the patch notes to version 3.8th.0A4, however, is the change that the library is ignoring leading zeros instead of values as an indication of octal numbers. The Associate Pull Request dates from May 2019.
In fact, although most browsers interpret as well as many command line tools the leading zero as an indication of an octal number, but the use was largely unable to be unaffected, as among other things, the reactions in the forum has shown the heise message for the vulnerability in NetMask. That’s why the error can be exploited.
A zero with a lot of weight
When evaluating IP addresses, a leading 0 usually indicates that the address is not specified in the decimal format, but in the octal system. So a ping goes to the supposed external address 018.104.22.168 on the Localhost 127.0.0.1. The call in Chrome and other browsers also leads to the internal address.
Thus, a possible attack vector to open software that uses iPaddress: during the destination address in the browser is a local, it recognizes a Python application more than externally. The same applies vice versa for the address 0127.0.0.1, the iPaddress interprets as locally, but in the browser to the address 22.214.171.124 leads.
Analogous to this are the private address areas with the CIDR notation 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 by inserting a leading 0 supposedly privately privately, but when the browser is wholly with the browser in public address space. SSRF attacks (Server-Side Request Forgery) can be implemented, among other things, if an application uses iPaddress to decide if a request is allowed.
Discussions around the 0
Meanwhile, Python’s IES’s management of Python takes a discussion about how and in which releases the community will fix the vulnerability. While some do not recognize a rough urgency, the tenor goes in the direction that a fix not only for the coming Python 3.10, but also for the also affected versions 3.8 and 3.9 is required.
Further details on the fund of the vulnerability can be found in the blog post of security researchers. The finding was not allowed to be the last of its kind, which makes the fundamental question in the room, whether it is not generally meaningful goods, the little-used and easy-to-see award of octal numbers over a leading zero in many applications and browsers. Even if it has grown historically, it is significantly less obvious than, for example, the labeling of numbers in the hexadecimal system over 0x or in the dual system above 0B, each containing a letter next to the leading zero.