Associated Vulnerability
Title:Google Go 安全漏洞 (CVE-2018-6574)Description:Google Go是美国谷歌(Google)公司的一种针对多处理器系统应用程序的编程进行了优化的编程语言。 Google Go 1.8.7之前版本、1.9.4之前的1.9.x版本和1.10rc2之前的1.10 pre-releases版本中存在安全漏洞。远程攻击者可利用该漏洞执行命令。
Description
Exploit for remote command execution in Golang go get command.
Readme
# CVE-2018-6574
Exploit for remote command execution in Golang `go get` command.
## Introduction
When you go get a package, Go is designed to build and install the package without running any code from it. The intent is that you can safely get, build, and even install Go packages without trusting them at all. In theory, it seems like this should be a simple feat for the Go toolchain, but in actuality, it's a real challenge. go get does a lot under the hood, including invoking third-party tools like git and clang in ways that are heavily influenced by package configurations. Ensuring that these invocations are safe is an uphill battle that Go hasn't quite won yet.
When cgo is enabled, the build step during “go get” invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an exploit.so file along with a Go source file that says (for example) // #cgo CFLAGS: -fplugin=exploit.so, causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow `go get` remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before.
## Building the Exploit
For Exploit we will need to host our malicious package. We need a website with TLS and a valid certificate chain. An easy way to do this is to use [github](https://github.com)
Then, you will need a malicious plugin/.so file. The code in [exploit.c](https://github.com/Devang-Solanki/CVE-2018-6574/blob/main/exploit.c) should help you with that.
**Note: Change this following code in [exploit.c](https://github.com/Devang-Solanki/CVE-2018-6574/blob/main/exploit.c) to your command**
```c
void exploit() {
system("<Your CMD>");
}
```
**Note: Compile this file according to your victim's machine/pc architecture**
You can build exploit.sp it using the following command:
```console
gcc -shared -o exploit.so -fPIC exploit.c
```
Once you host your full payload on Github, you should be able to pass the package link to the victim.
File Snapshot
[4.0K] /data/pocs/9bd0065b5df440cf09438c96ed4d4bcdbd6a59d5
├── [ 136] exploit.c
├── [1.2K] LICENSE
├── [ 277] main.go
└── [2.4K] README.md
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.