Now my curiosity is piqued and the evil mode kicks in. It feels like arbitrary data can be pushed to the checksum database without a connection to Go. Why is the data being pushed? And how is it being pushed? I go to bed thinking about this, which is the most dangerous moment for security research. As I try to fall asleep, I come up with tons of ideas, but I’m usually too tired or lazy to take notes, and so, quite frequently, I can’t remember them in the morning. But this one wasn’t forgotten! A new day and a curious mind demands answers. Why, how and, what if are the most dangerous questions in this field. If a Git repository has nothing to do with Go code, how does it appear in the Go checksum database?
ArticleIn this article, the author talks about how he stumbled a vulnerability on the Go proxy and checksum infrastructure. This vuln allows any code to be uploaded and then downloaded at will regardless of the contents. It's a short write up but it's very informative and I really like the formatting of the blog.
One thing that struck me about this post was the quote above and how it reminds me of every hacker[1] I know (myself included). They all seem to be very good at catching minor differences that would be ignored by most people. They always ask what would happen if I used this system in the way it was designed but with a small but important change. I'll conceded that I tend gravitate towards hackers who share similiar traits to myself, so my sample pool may be biased in terms of what I said earlier. But, I've also read a lot of write ups and disclosures where the same pattern emerges.
In the article, that's exactly what happened. He noticed the difference in the casing for the letters (homebrew vs Homebrew) and kept pulling on that string until he found the vuln. There's a lot of value in investigating why things are the way they are. Unlike the lower levels of the computer stack which are governed by physics, all the code is man-made and thus governed by arbitrary rules. Once you learn what these rules are and (more importantly) why they were created, finding scenarios that exploit them becomes way easier. A lot of times you'll even stumble into said scenarios without explicitily looking for them.
Thanks for reading and as always, all comments, critiques and questions are highly appreciated. Here's a link to the
previous article response.
[1] - The term hacker is used to refer to white, grey and black hats. The skillset is the same, the targets are just different.