Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The go get downloads and builds a package that contains import "C". With CLI tools, it is the goal of most systems (including Go) to limit code execution via commands being ran.

A bug in the package handling process allowed for setting the current directory to check for gcc when building the library. Because this occurs, we can control what gets executed! This means that running the go get command can run arbitrary code on downloading.

So, what is the fix? They came up with two of them. The first solution was to pass the full path of the GCC compiler instead of a just a command. The second fix was to remove the ability to execute a command based upon the PATH variable having . inside of it.