Share
## https://sploitus.com/exploit?id=885A6361-2140-5549-A7B6-1854DD315CD1
# ๐Ÿšจ Exploiting [CVE-2021-38297](https://nvd.nist.gov/vuln/detail/CVE-2021-38297): A Journey into GO Wasm Buffer Overflow ๐Ÿšจ

## ๐ŸŒ Overview of the Vulnerability ๐ŸŒ

WebAssembly (WASM) ๐ŸŒ, a cutting-edge binary instruction format, enables the seamless execution of high-level languages like C, C++, Rust, and GO in modern web browsers. However, the discovery of CVE-2021-38297 ๐Ÿšฉ revealed a critical flaw within GO's compilation and loading process for GO-compiled WASM binaries. This vulnerability, found in the JavaScript WASM loader (`wasm_exec.js`) provided by GO, allowed for the unrestricted inclusion of data in the `argv` argument. With `argv` stored in the linear memory of WASM, malicious actors could potentially exploit this to overwrite the linear memory of the GO-compiled WASM program with an oversized `argv` input, leading to unpredictable and potentially hazardous outcomes. This vulnerability was a significant concern in versions of GO prior to 1.17.2.
In summary:
1. The front-end renders each post and its comments.
2. While rendering, the GO WASM module loads, processing comments via the `argv` variable and posts at memory address `0x5000`.
3. Functions like `toLeetSpeak` and `processSharedVar` are employed for comment and post content, respectively.

## ๐Ÿ’ป Vulnerable Application: Vuln-Twitter ๐Ÿ’ป

In our proof of concept, we introduce "Vuln-Twitter," a mock social media platform that permits user-generated content through posts and comments. Utilizing a Node.js web server and SQLite for data storage, Vuln-Twitter's front-end leverages plain JavaScript along with a GO WASM module named `wordprocessor.wasm` for dynamic content rendering. This module, notably, includes methods like `toLeetSpeak`, transforming user inputs into stylized "LeetSpeak" for an engaging user experience.
![Vuln twitter UI](Images/CVE_LeetSpeak.png "CX for the vuln-twitter")
### Exploiting the Buffer Overflow

Our exploration reveals a critical point of exploitation during the content rendering phase, where each comment undergoes transformation by the GO WASM module. A specially crafted oversized comment can trigger the vulnerability, leading to a buffer overflow that manipulates the original post content, demonstrating a classic Stored XSS attack vector. This vulnerability not only underscores the potential for malicious data manipulation but also highlights the broader implications of secure programming practices in the context of web development and WASM applications.
Refer to the code section doing the same:

![Rendering Logic](Images/CVE_render.png "Comments rendering logic in front-end")


WASM Linear memory diagram when rendering a comment:

![Rendering Logic memory](Images/CVE_Linearmem.png "Linear memory when rendering comments")
![Exploitation flow](Images/CVE_Exploit.png "StoredXSS Exploitation")
### Reproducing the Exploit

For enthusiasts and researchers keen on exploring this vulnerability further, we provide detailed steps to reproduce the exploit environment using a specific vulnerable version of GO. This hands-on approach facilitates a deeper understanding of the vulnerability's mechanics and potential mitigation strategies.
Note: For reproducing this you need to install go version `go1.17.1` locally, which is the vulnerable version used in this scenario. You can refer to official go documentation on how to install specific go versions.

Now let's try reproducing the above scenario:
1. To setup the entire application first clone the project: `git clone git@github.com:gkrishnan724/CVE-2021-38297.git && cd vuln-twitter`
2. Run `npm install` to install all the dependencies
3. Run `npm run resetDB` which will initialize the database with few posts and comments.
4. Run `npm run dev` which will start the local server, open localhost:3000 in a browser and you should be able to see a login page.


Now, let's login with a malicious account use the credentials username: `I_CANT_HACK`, password: `hacker`, once logged in, you should be able to see the feed with a few posts.

This post seems pretty interesting:

`Amazon: ready 4 black friday? https://www.amazon.com/blackfriday`

What if using the above technique, we are able to overwrite the post from Amazon.com, to point to a malicious link?. 

Refer to the exploit.txt file, this contains the comment that is filled with padding of "A"s such that we overwrite everything till address `0x5000`, at the end you can see the text `ready for black friday? https://evil.com/blackfriday` If we copy this text and comment on the above post. We should be able to overwrite the original post with the text above. 

Try it for yourselves and see :)
![Exploit](Images/CVE_Pwn.png "Successful Exploit")
## ๐Ÿ› ๏ธ Patching and Mitigation ๐Ÿ› ๏ธ

Acknowledging the severity of this vulnerability, we also outline a comprehensive patching strategy, employing an updated and secure version of GO to mitigate the risk. This section serves as a guide for developers and system administrators to fortify their applications against such vulnerabilities, emphasizing the importance of regular software updates and vigilant security practices.

In this application, I have also provided a patch script. Which uses a newer version of go:
1. Run the target `npm run patchServer` 

This should recompile the go file with the new version and start the server with patch version

You should now notice that the post is not getting overwritten and if you observe the console. we see an error instead `Argument length too long`.
![Patch](Images/CVE_Patch.png "Successful Patch")
## ๐Ÿ’ก Conclusion and Reflections ๐Ÿ’ก

Our journey through the exploitation and mitigation of CVE-2021-38297 offers valuable insights into the challenges and opportunities presented by the integration of high-level programming languages in web environments through WASM. It prompts a critical examination of security practices in software development, urging a proactive approach to vulnerability management and the adoption of secure coding standards.
Based on our understanding we think the GO linear memory layout is depicted below:

![GO memory layout](Images/CVE_GOLayout.png "Linear mem layout")
## ๐ŸŽ“ Presentation and Academic Contribution ๐ŸŽ“

As students of Carnegie Mellon University, our investigation into CVE-2021-38297 contributes to the broader academic and professional discourse on cybersecurity, offering a practical case study on the implications of emerging technologies on software security. Our presentation materials, available for review, further elucidate our findings and methodologies, inviting dialogue and collaboration among the cybersecurity community.

## ๐ŸŒŸ Credits & Contributions ๐ŸŒŸ

This project is a testament to collaborative research and academic inquiry, spearheaded by a dedicated team of students and researchers:

- Paras Saxena (@paras98)
- Gopala Krishnan (@gkrishnan724)
- Zhejia Yang (@zildjianpoi)
- Shubham Kulkarni (@shubhamkulkarni97)
- Anisha Nilakantan

## Technical Explanation 

## Vulnerable Application: Vuln-Twitter
This proof of concept showcases a social media application, Vuln-Twitter, allowing multiple users to post content and comments. The web-server, built on Node.js, utilizes SQLite to store post and comment data.

The front-end employs plain JS along with a GO WASM module named `wordprocessor.wasm`. This module exposes methods like `toLeetSpeak`, which transforms input strings into "LeetSpeak" (e.g., "Hello!" becomes "h3ll0!").

The GO WASM modules aid in rendering posts and comments in LeetSpeak.




## Exploiting the Buffer Overflow
During the front-end rendering process, when receiving posts and comments from the server, each comment undergoes rendering to "LeetSpeak" using the GO WASM module. The comment for each post is passed as part of the `argv` variable after loading the GO WASM module.

Moreover, there exists a method, `processSharedVar()`, in the GO module, designed to read the string located at address `0x5000` and convert it to simplified speech (e.g., "How are you?" becomes "How r u?"). The original post is explicitly added to `0x5000` in the linear memory to be accessed by this method, altering the post content.
## ๐Ÿ”— Sources & Further Reading ๐Ÿ”—

For those interested in delving deeper into CVE-2021-38297 and its broader implications, we provide a curated list of resources and readings, ranging from official security bulletins to technical blogs and academic papers. These materials offer comprehensive insights into the vulnerability, its impact on software security, and the ongoing efforts to ensure the safety and integrity of web applications.
* https://www.ibm.com/support/pages/security-bulletin-ibm-event-streams-affected-potential-buffer-overflow-golang-cve-2021-38297-0
* https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-38297&scoretype=cvssv3
* https://pedromarquez.dev/blog/2023/2/node_golang_wasm
* https://nvd.nist.gov/vuln/detail/CVE-2021-38297
* https://github.com/golang/go/issues/48797
* https://github.com/golang/go/commit/f63250238be548b7c6c24ae840541102a5cfef99
* https://jfrog.com/blog/cve-2021-38297-analysis-of-a-go-web-assembly-vulnerability/
* https://stackoverflow.com/questions/64763007/why-is-webassembly-safe-and-what-is-linear-memory-model
* https://webassembly.org/
* https://hacks.mozilla.org/2019/08/webassembly-interface-types/
* https://blog.protekkt.com/blog/basic-webassembly-buffer-overflow-exploitation-example
* https://www.usenix.org/system/files/sec20_slides_lehmann.pdf
* https://xeiaso.net/talks/wasm-abi/

**Orignal Development Repo** : https://github.com/gkrishnan724/CVE-2021-38297