जमा करें #844658: AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)जानकारी

शीर्षकAstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)
विवरण# Technical Details An authenticated host-level Python code execution chain exists in `ToolsRoute.add_mcp_server()` in `astrbot/dashboard/routes/tools.py`, MCP stdio validation in `astrbot/core/agent/mcp_client.py`, and backup import logic in `astrbot/core/backup/importer.py` and `astrbot/core/backup/constants.py` of AstrBot. The application fails to prevent dangerous interaction between backup import and MCP stdio execution. Backup import restores attacker-controlled files into live runtime directories, including `data/t2i_templates/`. MCP stdio validation allows `python3` with positional script or archive arguments, and the MCP connection test launches the supplied interpreter command directly. An attacker can therefore restore a `.pyz` payload and execute it through the dashboard MCP feature. # Vulnerable Code File: `astrbot/dashboard/routes/tools.py` Method: `ToolsRoute.add_mcp_server()` Why: The route accepts attacker-supplied MCP stdio configuration, validates it with incomplete rules, and immediately triggers a live connection test. In `astrbot/core/agent/mcp_client.py`, `_validate_stdio_args()` blocks inline flags like `-c` but still permits positional archive/script paths such as `data/t2i_templates/issue7169_payload.pyz`. `AstrBotImporter._import_directories()` restores attacker-controlled files into that path. # Reproduction 1. Authenticate to the AstrBot dashboard with a user allowed to import backups and manage MCP servers. 2. Upload and import a crafted backup ZIP containing `directories/t2i_templates/issue7169_payload.pyz`. 3. Submit `POST /api/tools/mcp/add` with `command` set to `python3` and `args` set to `["data/t2i_templates/issue7169_payload.pyz"]`. 4. Observe that AstrBot launches `python3 data/t2i_templates/issue7169_payload.pyz`. 5. Confirm code execution by checking for the created marker file `data/issue7169_mcp_allowlist_bypass_marker.txt`. # Impact - An authenticated dashboard user can execute arbitrary Python code as the AstrBot process user. - The attacker can access secrets, modify runtime data, and establish persistence within the service account's privileges.
स्रोत⚠️ https://gist.github.com/YLChen-007/193469bf36c70d6744b8a62dd5da3dd3
उपयोगकर्ता
 Eric-a (UID 96353)
सबमिशन01/06/2026 10:19 AM (1 महीना पहले)
संयम11/07/2026 02:42 PM (1 month later)
स्थितिप्रतिलिपि
VulDB प्रविष्टि356978 [AstrBotDevs AstrBot तक 4.22.1 MCP Endpoint tools.py add_mcp_server command अधिकार वृद्धि]
अंक0

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!