DEF CON 29 - Kelly Kaoudis, Sick Codes - Rotten code, aging standards, & pwning IPv4 parsing

Openness to responsibly disclosed external vulnerability research is crucial for modern software maintainers and security teams. Changes in upstream dependency code may have pulled the safety rug out from underneath widely trusted core libraries, leaving millions of services vulnerable to unsophisticated attacks. The impact of even a single reasonably well-distributed supply-chain security vulnerability will be felt by engineering teams across many applications, companies, and industries. We’d like to discuss an IP address parsing vulnerability first discovered in private-ip, a small and infrequently maintained yet critically important NodeJS package for determining if an IP address should be considered part of a private range or not. We’ll talk about not only the implications of this CVE but taking the main idea and applying it across multiple programming languages in uniquely disturbing ways. Sometimes, the effects of code rot are even more far-reaching than we could possibly expect, and if you pull on a