提交 #844658: AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)信息

标题AstrBotDevs AstrBot 4.25.2 Code Injection (CWE-94)
描述# Technical Details An authenticated host-level Python code execution chain exists in `ToolsRoute.add_mcp_server()` in `astrbot/dashboard/routes/tools.py`, MCP stdio validation in `astrbot/core/agent/mcp_client.py`, and backup import logic in `astrbot/core/backup/importer.py` and `astrbot/core/backup/constants.py` of AstrBot. The application fails to prevent dangerous interaction between backup import and MCP stdio execution. Backup import restores attacker-controlled files into live runtime directories, including `data/t2i_templates/`. MCP stdio validation allows `python3` with positional script or archive arguments, and the MCP connection test launches the supplied interpreter command directly. An attacker can therefore restore a `.pyz` payload and execute it through the dashboard MCP feature. # Vulnerable Code File: `astrbot/dashboard/routes/tools.py` Method: `ToolsRoute.add_mcp_server()` Why: The route accepts attacker-supplied MCP stdio configuration, validates it with incomplete rules, and immediately triggers a live connection test. In `astrbot/core/agent/mcp_client.py`, `_validate_stdio_args()` blocks inline flags like `-c` but still permits positional archive/script paths such as `data/t2i_templates/issue7169_payload.pyz`. `AstrBotImporter._import_directories()` restores attacker-controlled files into that path. # Reproduction 1. Authenticate to the AstrBot dashboard with a user allowed to import backups and manage MCP servers. 2. Upload and import a crafted backup ZIP containing `directories/t2i_templates/issue7169_payload.pyz`. 3. Submit `POST /api/tools/mcp/add` with `command` set to `python3` and `args` set to `["data/t2i_templates/issue7169_payload.pyz"]`. 4. Observe that AstrBot launches `python3 data/t2i_templates/issue7169_payload.pyz`. 5. Confirm code execution by checking for the created marker file `data/issue7169_mcp_allowlist_bypass_marker.txt`. # Impact - An authenticated dashboard user can execute arbitrary Python code as the AstrBot process user. - The attacker can access secrets, modify runtime data, and establish persistence within the service account's privileges.
来源⚠️ https://gist.github.com/YLChen-007/193469bf36c70d6744b8a62dd5da3dd3
用户
 Eric-a (UID 96353)
提交2026-06-01 10時19分 (1 月前)
管理2026-07-11 14時42分 (1 month later)
状态重复
VulDB条目356978 [AstrBotDevs AstrBot 直到 4.22.1 MCP Endpoint tools.py add_mcp_server command 权限提升]
积分0

Do you want to use VulDB in your project?

Use the official API to access entries easily!