| शीर्षक | AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94) |
|---|
| विवरण | # Technical Details
An authenticated host-level Python code execution chain exists in `ToolsRoute.add_mcp_server()` in `astrbot/dashboard/routes/tools.py`, MCP stdio validation in `astrbot/core/agent/mcp_client.py`, and backup import logic in `astrbot/core/backup/importer.py` and `astrbot/core/backup/constants.py` of AstrBot.
The application fails to prevent dangerous interaction between backup import and MCP stdio execution. Backup import restores attacker-controlled files into live runtime directories, including `data/t2i_templates/`. MCP stdio validation allows `python3` with positional script or archive arguments, and the MCP connection test launches the supplied interpreter command directly. An attacker can therefore restore a `.pyz` payload and execute it through the dashboard MCP feature.
# Vulnerable Code
File: `astrbot/dashboard/routes/tools.py`
Method: `ToolsRoute.add_mcp_server()`
Why: The route accepts attacker-supplied MCP stdio configuration, validates it with incomplete rules, and immediately triggers a live connection test. In `astrbot/core/agent/mcp_client.py`, `_validate_stdio_args()` blocks inline flags like `-c` but still permits positional archive/script paths such as `data/t2i_templates/issue7169_payload.pyz`. `AstrBotImporter._import_directories()` restores attacker-controlled files into that path.
# Reproduction
1. Authenticate to the AstrBot dashboard with a user allowed to import backups and manage MCP servers.
2. Upload and import a crafted backup ZIP containing `directories/t2i_templates/issue7169_payload.pyz`.
3. Submit `POST /api/tools/mcp/add` with `command` set to `python3` and `args` set to `["data/t2i_templates/issue7169_payload.pyz"]`.
4. Observe that AstrBot launches `python3 data/t2i_templates/issue7169_payload.pyz`.
5. Confirm code execution by checking for the created marker file `data/issue7169_mcp_allowlist_bypass_marker.txt`.
# Impact
- An authenticated dashboard user can execute arbitrary Python code as the AstrBot process user.
- The attacker can access secrets, modify runtime data, and establish persistence within the service account's privileges. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/193469bf36c70d6744b8a62dd5da3dd3 |
|---|
| उपयोगकर्ता | Eric-a (UID 96353) |
|---|
| सबमिशन | 01/06/2026 10:19 AM (1 महीना पहले) |
|---|
| संयम | 11/07/2026 02:42 PM (1 month later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 356978 [AstrBotDevs AstrBot तक 4.22.1 MCP Endpoint tools.py add_mcp_server command अधिकार वृद्धि] |
|---|
| अंक | 0 |
|---|