제출 #844658: AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)정보

제목AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)
설명# Technical Details An authenticated host-level Python code execution chain exists in `ToolsRoute.add_mcp_server()` in `astrbot/dashboard/routes/tools.py`, MCP stdio validation in `astrbot/core/agent/mcp_client.py`, and backup import logic in `astrbot/core/backup/importer.py` and `astrbot/core/backup/constants.py` of AstrBot. The application fails to prevent dangerous interaction between backup import and MCP stdio execution. Backup import restores attacker-controlled files into live runtime directories, including `data/t2i_templates/`. MCP stdio validation allows `python3` with positional script or archive arguments, and the MCP connection test launches the supplied interpreter command directly. An attacker can therefore restore a `.pyz` payload and execute it through the dashboard MCP feature. # Vulnerable Code File: `astrbot/dashboard/routes/tools.py` Method: `ToolsRoute.add_mcp_server()` Why: The route accepts attacker-supplied MCP stdio configuration, validates it with incomplete rules, and immediately triggers a live connection test. In `astrbot/core/agent/mcp_client.py`, `_validate_stdio_args()` blocks inline flags like `-c` but still permits positional archive/script paths such as `data/t2i_templates/issue7169_payload.pyz`. `AstrBotImporter._import_directories()` restores attacker-controlled files into that path. # Reproduction 1. Authenticate to the AstrBot dashboard with a user allowed to import backups and manage MCP servers. 2. Upload and import a crafted backup ZIP containing `directories/t2i_templates/issue7169_payload.pyz`. 3. Submit `POST /api/tools/mcp/add` with `command` set to `python3` and `args` set to `["data/t2i_templates/issue7169_payload.pyz"]`. 4. Observe that AstrBot launches `python3 data/t2i_templates/issue7169_payload.pyz`. 5. Confirm code execution by checking for the created marker file `data/issue7169_mcp_allowlist_bypass_marker.txt`. # Impact - An authenticated dashboard user can execute arbitrary Python code as the AstrBot process user. - The attacker can access secrets, modify runtime data, and establish persistence within the service account's privileges.
원천⚠️ https://gist.github.com/YLChen-007/193469bf36c70d6744b8a62dd5da3dd3
사용자
 Eric-a (UID 96353)
제출2026. 06. 01. AM 10:19 (1 월 ago)
모더레이션2026. 07. 11. PM 02:42 (1 month later)
상태중복
VulDB 항목356978 [AstrBotDevs AstrBot 까지 4.22.1 MCP Endpoint tools.py add_mcp_server command 권한 상승]
포인트들0

Want to stay up to date on a daily basis?

Enable the mail alert feature now!