| Titel | AstrBotDevs AstrBot 4.25.2 Improper Authorization (CWE-285) |
|---|
| Beschreibung | # Technical Details
An improper ownership check exists in the `FutureTaskTool.call()` workflow in `astrbot/core/tools/cron_tools.py` and the scheduler follow-up path in `astrbot/core/cron/manager.py` of AstrBot.
The application fails to authorize future task management by task owner. Task creation stores both `session` and `sender_id`, but `list`, `edit`, and `delete` later check only whether the current unified message origin matches the stored session. In shared group sessions, any non-owner can manage another user's scheduled task. The `edit` path preserves the original `sender_id`, so attacker-modified content can later execute under a victim-derived cron role.
# Vulnerable Code
File: `astrbot/core/tools/cron_tools.py`
Method: `FutureTaskTool.call()`
Why: The `edit`, `delete`, and `list` branches authorize only by shared session/UMO and do not enforce ownership with `sender_id`. The `edit` branch copies the existing payload and updates only `payload["note"]`, preserving the victim creator identity for later scheduler use.
# Reproduction
1. Create a future task as a victim user, preferably an admin, in a shared group session.
2. From a different non-owner user in the same UMO/session, run the provided PoC `verification_test_7822_cron_future_task_ownership.py`.
3. List and edit the victim task as the non-owner.
4. Observe that the modified task keeps the original victim `sender_id`.
5. Let the scheduler execute the task and confirm the attacker-controlled note runs with the victim-derived cron role.
# Impact
- Same-session attackers can list, edit, or delete another user's scheduled tasks.
- If the victim is an admin, attacker-controlled task content can later execute in an admin-derived cron context. |
|---|
| Quelle | ⚠️ https://gist.github.com/YLChen-007/2bab96d5bedef784f90c97009fff8a19 |
|---|
| Benutzer | Eric-a (UID 96353) |
|---|
| Einreichung | 01.06.2026 10:14 (vor 1 Monat) |
|---|
| Moderieren | 11.07.2026 14:42 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 377806 [AstrBotDevs AstrBot bis 4.25.2 Scheduled Task cron_tools.py FutureTaskTool.call payload["note"] erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|