Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala
An gano wani rauni (wanda aka riga aka jera a ƙarƙashin CVE-2022-37454) en aiwatar da aikin hash na cryptographic SHA-3 (Keccak), wanda aka bayar a cikin fakitin XKCP (Package Code Keccak eXtended).
Abin da aka gano yanayin rauni na iya haifar da ambaliya a lokacin sarrafa kafa bayanai. Matsalar ta kasance saboda kwaro a cikin lambar takamaiman aiwatar da SHA-3, ba rauni ba a cikin algorithm kanta.
Kunshin Farashin XKCP an yi la'akari da shi azaman aiwatar da hukuma na SHA-3, wanda aka haɓaka tare da taimakon ƙungiyar ci gaban Keccak, kuma ana amfani dashi azaman tushen ayyuka don aiki tare da SHA-3 a cikin harsunan shirye-shirye daban-daban (misali, ana amfani da lambar XKCP a cikin tsarin Python hashlib, kunshin Ruby digest-sha3, da ayyukan PHP hash_*).
A cewar mai binciken wanda ya gano matsalar. zai iya amfani da raunin don keta kaddarorin cryptographic na aikin hash kuma nemo na farko da na biyu preimages, kazalika da ƙayyade karo.
Dalilin kuskuren rarraba shine cewa rubutun zasu yi ƙoƙarin rubuta ƙarin bayanai zuwa majigi fiye da yadda zai iya riƙewa. Irin wannan raunin ana san shi da ambaliya, wanda OWASP ya bayyana a matsayin "wataƙila sanannen nau'in raunin tsaro na software."
Ƙananan bambance-bambancen lambar zai haifar da madauki mara iyaka: kawai maye gurbin 4294967295 tare da 4294967296. Lura da kamance da CVE-2019-8741, wani raunin da na gano wanda ya shafi firmware na na'urorin Apple biliyan 1.400, wanda kuma ya haifar da madauki marar iyaka.
Bugu da ƙari, an sanar da ƙirƙira samfurin amfani, que yana ba da damar cimma aiwatar da code lokacin ƙididdige zanta daga fayil ɗin da aka tsara na musamman. Hakanan ana iya amfani da raunin don kai hari ga algorithms tabbatar da sa hannun dijital ta amfani da SHA-3 (misali, Ed448). Ana sa ran za a fitar da cikakkun bayanai kan hanyoyin kai harin nan gaba kadan, bayan kawar da raunin gaba daya.
Irin wannan hali bai kamata ya faru a cikin yarukan "aminci" kamar Python da PHP ba, tunda sun bincika cewa duk ayyukan karantawa da rubuta suna cikin iyakoki. Koyaya, matsalar ita ce rashin lafiyar yana kasancewa a cikin tushen "marasa tsaro" harshen C ...
Amma duk da haka ba a san yadda raunin ya shafi aikace-aikacen da ake da su ba a aikace, Tun da matsalar ta bayyana a cikin lamba, dole ne a yi amfani da lissafin hash na cyclic akan tubalan, kuma ɗayan tubalan da aka sarrafa dole ne ya kasance kusan 4 GB a girman (aƙalla 2^32 - 200 bytes).
Lokacin sarrafa bayanan shigarwa lokaci ɗaya (ba tare da lissafin jeri na hash ta sassa ba), matsalar ba ta bayyana ba. A matsayin hanyar kariya mafi sauƙi, an ba da shawarar iyakance iyakar girman bayanan da ke cikin juzu'i ɗaya na lissafin zanta.
An buga lambar mai rauni a cikin Janairu 2011, don haka an ɗauki fiye da shekaru goma don gano wannan raunin. Da alama yana da wahala a sami rauni a cikin aiwatar da bayanan sirri, kodayake suna taka muhimmiyar rawa a cikin amincin tsarin gaba ɗaya. (Wataƙila mutane ba sa ma neman irin wannan raunin, tunda ba wannan raunin a cikin XKCP ko raunin Apple da aka ambata a sama ba ya cancanci kowane shirye-shiryen fa'idar bug!)
Ularfafawa ya faru ne saboda kuskuren toshe sarrafa bayanan shigar. Sakamakon kuskuren kwatanta dabi'u tare da nau'in "int", an ƙayyade girman girman bayanan da ba daidai ba, wanda ke sa a rubuta jerin gwano daga cikin buffer da aka keɓe.
Musamman, an ambaci cewa a lokacin da kwatanta, da magana «partialBlock + misali->byteIOIndex«, wanda, tare da manyan dabi'u na sassan sassan, ya haifar da ambaliya lamba. Har ila yau, akwai nau'in sigar da ba daidai ba "(wanda ba a sanya hannu ba) (dataByteLen - i)" a cikin lambar, yana haifar da ambaliya akan tsarin tare da nau'in 64-bit size_t.
Finalmente idan kuna sha'awar ƙarin sani game da shi, zaku iya bincika cikakkun bayanai a cikin bin hanyar haɗi.