CVE-2023-29409 PoC — Google Golang 资源管理错误漏洞

Source

https://github.com/mateusz834/CVE-2023-29409

Associated Vulnerability

Title:Google Golang 资源管理错误漏洞 (CVE-2023-29409)
Description:Google Golang是美国谷歌（Google）公司的一种静态强类型、编译型语言。Go的语法接近C语言，但对于变量的声明有所不同。Go支持垃圾回收功能。Go的并行模型是以东尼·霍尔的通信顺序进程（CSP）为基础，采取类似模型的其他语言包括Occam和Limbo，但它也具有Pi运算的特征，比如通道传输。在1.8版本中开放插件（Plugin）的支持，这意味着现在能从Go中动态加载部分函数。 Google Golang 存在资源管理错误漏洞，该漏洞源于RSA证书链中的极大RSA密钥可能会导致客户端/服务器在

Description

 CVE-2023-29409 reproducer

Readme

# CVE-2023-29409

```bash
$ openssl genrsa -out ca-key.pem 2048
$ openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 100000 -out ca.pem \
-addext 'keyUsage=keyCertSign' \
-subj '/CN=Root CA'
$ go run main.go server # (in the background)
$ go run main.go client # causes high cpu load on client
$ go run main.go client-auth # causes high cpu load on the server
```

```bash
$ time go run main.go client
tls: invalid signature by the server certificate: crypto/rsa: verification error

real    0m13,160s
user    0m13,328s
sys     0m0,101s

$ time go run main.go client-auth
<nil>

real    0m10,985s
user    0m0,255s
sys     0m0,044s
```

File Snapshot


 [4.0K]  /data/pocs/253156498c4c5d8252dfae47869e28ed1bcf1f62
├── [  55]  go.mod
├── [1.0K]  LICENSE
├── [4.3K]  main.go
└── [ 644]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!