CVE-2021-29922

Improper Input Validation of octal literals in std::net

Reported

January 31, 2020

Issued

August 8, 2021 (last modified: July 15, 2023)

Package

std

Type

Vulnerability

Keywords

#IpAddr #SSRF #RFI #LFI

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922

Patched

>=1.53.0

Affected Functions

Version

std::net::IpAddr::from_str

<=1.52.1

std::net::Ipv4Addr::from_str

<=1.52.1

std::net::Ipv6Addr::from_str

<=1.52.1

Description

Improper input validation of octal strings in rust-lang standard library net allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on rust-lang std::net. IP address octets are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on std::net::IpAddr, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits, with the minimum exploitable octet being 08 (Denial of Service) and the maximum exploitable octet is 099 (Denial of Service). For example, an attacker can submit 010.8.8.8, which is 8.8.8.8 (RFI), yet std::net::IpAddr will evaluate this as 10.8.8.8. Equally, an attacker can input 127.0.026.1 which is really 127.0.22.1 but rust evaluates it as 127.0.26.1.

Advisory available under CC0-1.0 license.