| 标题 | AstrBotDevs AstrBot 4.25.2 Improper Authorization (CWE-285) |
|---|
| 描述 | # Technical Details
An improper ownership check exists in the `FutureTaskTool.call()` workflow in `astrbot/core/tools/cron_tools.py` and the scheduler follow-up path in `astrbot/core/cron/manager.py` of AstrBot.
The application fails to authorize future task management by task owner. Task creation stores both `session` and `sender_id`, but `list`, `edit`, and `delete` later check only whether the current unified message origin matches the stored session. In shared group sessions, any non-owner can manage another user's scheduled task. The `edit` path preserves the original `sender_id`, so attacker-modified content can later execute under a victim-derived cron role.
# Vulnerable Code
File: `astrbot/core/tools/cron_tools.py`
Method: `FutureTaskTool.call()`
Why: The `edit`, `delete`, and `list` branches authorize only by shared session/UMO and do not enforce ownership with `sender_id`. The `edit` branch copies the existing payload and updates only `payload["note"]`, preserving the victim creator identity for later scheduler use.
# Reproduction
1. Create a future task as a victim user, preferably an admin, in a shared group session.
2. From a different non-owner user in the same UMO/session, run the provided PoC `verification_test_7822_cron_future_task_ownership.py`.
3. List and edit the victim task as the non-owner.
4. Observe that the modified task keeps the original victim `sender_id`.
5. Let the scheduler execute the task and confirm the attacker-controlled note runs with the victim-derived cron role.
# Impact
- Same-session attackers can list, edit, or delete another user's scheduled tasks.
- If the victim is an admin, attacker-controlled task content can later execute in an admin-derived cron context. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/2bab96d5bedef784f90c97009fff8a19 |
|---|
| 用户 | Eric-a (UID 96353) |
|---|
| 提交 | 2026-06-01 10時14分 (1 月前) |
|---|
| 管理 | 2026-07-11 14時42分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377806 [AstrBotDevs AstrBot 直到 4.25.2 Scheduled Task cron_tools.py FutureTaskTool.call payload["note"] 权限提升] |
|---|
| 积分 | 20 |
|---|