Critical severityNVD Advisory· Published Jun 1, 2023· Updated Jan 9, 2025
Brook's tproxy server is vulnerable to a drive-by command injection.
CVE-2023-33965
Description
Brook tproxy server contains a drive-by command injection vulnerability allowing remote code execution via a malicious web page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Brook tproxy server contains a drive-by command injection vulnerability allowing remote code execution via a malicious web page.
Vulnerability
Description CVE-2023-33965 is a drive-by command injection vulnerability in the tproxy server component of Brook, a cross-platform programmable network tool. The server does not properly validate or sanitize requests, allowing an attacker to craft a malicious web page that, when visited by a victim, triggers arbitrary requests to the local tproxy service with injected commands [1][3].
Exploitation
To exploit the vulnerability, an attacker must trick a victim into visiting a malicious web page while the Brook tproxy server is running locally. The page sends crafted requests to the tproxy service (typically listening on localhost), which processes them without proper authentication or input validation, leading to command injection. This attack can be performed remotely by luring the victim to the attacker's site, requiring no prior access to the victim's system [1][4].
Impact
Successful exploitation permits remote code execution on the victim's machine with the privileges of the Brook process. An attacker could execute arbitrary system commands, potentially leading to full compromise of the host, including data theft, installation of malware, or further lateral movement within the network [1][4].
Mitigation
The vulnerability is patched in Brook version 20230606 [1]. The commit [2] shows the addition of authentication handlers (/hasp, /setp, /authp) to the tproxy server, which mitigate the attack by requiring a password for administrative actions. Users are advised to update to the patched version immediately. No workarounds are documented; however, running the service only in trusted environments or restricting network access may reduce exposure.
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/txthinking/brookGo | < 20230606 | 20230606 |
Affected products
2- Range: < 20230606
Patches
14 files changed · +191 −22
cli/brook/main.go+68 −3 modified@@ -975,7 +975,7 @@ func main() { if err != nil { return err } - s, err := brook.NewQUICServer(":"+p, c.String("password"), h, c.Int("tcpTimeout"), c.Int("udpTimeout"), c.String("blockDomainList"), c.String("blockCIDR4List"), c.String("blockCIDR6List"), c.Int64("updateListInterval"), c.StringSlice("blockGeoIP"), c.Bool("withoutBrookProtocol")) + s, err := brook.NewQUICServer(":"+p, c.String("password"), h, c.Int("tcpTimeout"), c.Int("udpTimeout"), c.Bool("withoutBrookProtocol")) if err != nil { return err } @@ -1437,7 +1437,7 @@ func main() { }, &cli.BoolFlag{ Name: "enableIPv6", - Usage: "Your local and server must support IPv6 both", + Usage: "deprecated", }, &cli.BoolFlag{ Name: "doNotRunScripts", @@ -1514,7 +1514,55 @@ func main() { lock := &sync.Mutex{} m := http.NewServeMux() m.Handle("/", http.FileServer(http.FS(web))) + m.HandleFunc("/hasp", func(w http.ResponseWriter, r *http.Request) { + lock.Lock() + defer lock.Unlock() + _, err := os.Stat("/tmp/.brook.web.password") + if os.IsNotExist(err) { + w.Write([]byte("no")) + return + } + w.Write([]byte("yes")) + }) + m.HandleFunc("/setp", func(w http.ResponseWriter, r *http.Request) { + lock.Lock() + defer lock.Unlock() + _, err := os.Stat("/tmp/.brook.web.password") + if !os.IsNotExist(err) { + http.Error(w, "file exsits", 500) + return + } + err = ioutil.WriteFile("/tmp/.brook.web.password", []byte(r.FormValue("p")), 0600) + if err != nil { + http.Error(w, err.Error(), 500) + return + } + w.WriteHeader(200) + }) + m.HandleFunc("/authp", func(w http.ResponseWriter, r *http.Request) { + lock.Lock() + defer lock.Unlock() + b, err := ioutil.ReadFile("/tmp/.brook.web.password") + if err != nil { + http.Error(w, err.Error(), 500) + return + } + if string(b) != r.FormValue("p") { + http.Error(w, "web ui password wrong", 500) + return + } + w.WriteHeader(200) + }) m.HandleFunc("/start", func(w http.ResponseWriter, r *http.Request) { + b, err := ioutil.ReadFile("/root/.brook.web.password") + if err != nil { + http.Error(w, err.Error(), 500) + return + } + if string(b) != r.FormValue("p") { + http.Error(w, "web ui password wrong", 500) + return + } s, err := os.Executable() if err != nil { http.Error(w, err.Error(), 500) @@ -1523,7 +1571,6 @@ func main() { lock.Lock() defer lock.Unlock() cmd = exec.Command("/bin/sh", "-c", s+" tproxy "+r.FormValue("args")) - log.Println(s + " tproxy " + r.FormValue("args")) done := make(chan byte) defer close(done) errch := make(chan error) @@ -1552,6 +1599,15 @@ func main() { } }) m.HandleFunc("/stop", func(w http.ResponseWriter, r *http.Request) { + b, err := ioutil.ReadFile("/root/.brook.web.password") + if err != nil { + http.Error(w, err.Error(), 500) + return + } + if string(b) != r.FormValue("p") { + http.Error(w, "web ui password wrong", 500) + return + } lock.Lock() defer lock.Unlock() if cmd == nil { @@ -1565,6 +1621,15 @@ func main() { w.Write([]byte("disconnected")) }) m.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { + b, err := ioutil.ReadFile("/tmp/.brook.web.password") + if err != nil { + http.Error(w, err.Error(), 500) + return + } + if string(b) != r.FormValue("p") { + http.Error(w, "web ui password wrong", 500) + return + } lock.Lock() defer lock.Unlock() if cmd == nil {
cli/brook/static/index.html+117 −13 modified@@ -35,15 +35,36 @@ bypassDomainList: localStorage.getItem("bypassDomainList") ?? "", bypassCIDR4List: localStorage.getItem("bypassCIDR4List") ?? "", bypassCIDR6List: localStorage.getItem("bypassCIDR6List") ?? "", + bypassGeoIP: localStorage.getItem("bypassGeoIP") ?? "", blockDomainList: localStorage.getItem("blockDomainList") ?? "", - enableIPv6: localStorage.getItem("enableIPv6") ? true : false, + disableA: localStorage.getItem("disableA") ? true : false, + disableAAAA: localStorage.getItem("disableAAAA") ? true : false, + hasp: false, + localhasp: false, + p: "", status: "disconnected", ing: false, }; }, async created() { try { - var r = await fetch("/status"); + var r = await fetch("/hasp"); + if (r.status != 200) { + throw await r.text(); + } + if((await r.text()) == "yes"){ + this.hasp = true; + } + if(!this.hasp){ + return; + } + if(localStorage.getItem("p")){ + this.localhasp = true; + } + if(!this.localhasp){ + return; + } + var r = await fetch(`/status?p=${encodeURIComponent(localStorage.getItem('p'))}`); if (r.status != 200) { throw await r.text(); } @@ -53,6 +74,41 @@ } }, methods: { + async setp() { + try { + if (!this.p.trim()) { + return; + } + this.ing = true; + var r = await fetch(`/setp?p=${encodeURIComponent(this.p.trim())}`); + if (r.status != 200) { + throw await r.text(); + } + location.reload(); + this.ing = false; + } catch (e) { + alert(`${e}`); + this.ing = false; + } + }, + async authp() { + try { + if (!this.p.trim()) { + return; + } + this.ing = true; + var r = await fetch(`/authp?p=${encodeURIComponent(this.p.trim())}`); + if (r.status != 200) { + throw await r.text(); + } + localStorage.setItem("p", this.p.trim()); + location.reload(); + this.ing = false; + } catch (e) { + alert(`${e}`); + this.ing = false; + } + }, async start() { try { this.ing = true; @@ -105,19 +161,43 @@ } else { localStorage.setItem("bypassCIDR6List", ""); } + if ( + this.bypassGeoIP && + this.bypassGeoIP + .split(",") + .map((v) => v.trim()) + .filter((v) => v).length + ) { + this.bypassGeoIP + .split(",") + .map((v) => v.trim()) + .filter((v) => v) + .forEach((v) => { + s += ` --bypassGeoIP '${v}'`; + }); + localStorage.setItem("bypassGeoIP", this.bypassGeoIP); + } else { + localStorage.setItem("bypassGeoIP", ""); + } if (this.blockDomainList) { s += ` --blockDomainList '${this.blockDomainList}'`; localStorage.setItem("blockDomainList", this.blockDomainList); } else { localStorage.setItem("blockDomainList", ""); } - if (this.enableIPv6) { - s += ` --enableIPv6`; - localStorage.setItem("enableIPv6", "true"); + if (this.disableA) { + s += ` --disableA`; + localStorage.setItem("disableA", "true"); } else { - localStorage.setItem("enableIPv6", ""); + localStorage.setItem("disableA", ""); } - var r = await fetch(`/start?args=${encodeURIComponent(s)}`); + if (this.disableAAAA) { + s += ` --disableAAAA`; + localStorage.setItem("disableAAAA", "true"); + } else { + localStorage.setItem("disableAAAA", ""); + } + var r = await fetch(`/start?args=${encodeURIComponent(s)}&p=${encodeURIComponent(localStorage.getItem('p'))}`); if (r.status != 200) { throw await r.text(); } @@ -131,7 +211,7 @@ async stop() { try { this.ing = true; - var r = await fetch(`/stop`); + var r = await fetch(`/stop?p=${encodeURIComponent(localStorage.getItem('p'))}`); if (r.status != 200) { throw await r.text(); } @@ -153,7 +233,7 @@ <h1>Brook</h1> <p>brook tproxy</p> </header> - <main> + <main v-if="hasp && localhasp"> <p> <label>--link brook link</label><br /> <input v-model="link" placeholder="brook://..." /> @@ -174,6 +254,14 @@ <h1>Brook</h1> <label>--dnsForBypass DNS server for resolving domains in bypass list</label><br /> <input v-model="dnsForBypass" placeholder="223.5.5.5:53" /> </p> + <p> + <label>--disableA Disable A query</label><br /> + <input type="checkbox" v-model="disableA" /> + </p> + <p> + <label>--disableAAAA Disable AAAA query</label><br /> + <input type="checkbox" v-model="disableAAAA" /> + </p> <p> <label>--bypassDomainList Suffix match mode</label><br /> <input v-model="bypassDomainList" placeholder="/path/to/local/file/example_domain.txt" /> @@ -187,17 +275,33 @@ <h1>Brook</h1> <input v-model="bypassCIDR6List" placeholder="/path/to/local/file/example_cidr6.txt" /> </p> <p> - <label>--blockDomainList Suffix match mode</label><br /> - <input v-model="blockDomainList" placeholder="/path/to/local/file/example_domain.txt" /> + <label>--bypassGeoIP Bypass IP by Geo country code, such as CN</label><br /> + <input v-model="bypassGeoIP" placeholder="ZZ,CN" /> </p> <p> - <label>--enableIPv6 Your local and server must support IPv6</label><br /> - <input type="checkbox" v-model="enableIPv6" /> + <label>--blockDomainList Suffix match mode</label><br /> + <input v-model="blockDomainList" placeholder="/path/to/local/file/example_domain.txt" /> </p> <p v-if="ing"><button disabled>Waiting...</button></p> <p v-if="!ing && status == 'disconnected'"><button v-on:click="start">Connect</button></p> <p v-if="!ing && status =='connected'"><button v-on:click="stop">Disconnect</button></p> </main> + <main v-if="!hasp"> + <p> + <label>Set password for web UI</label><br /> + <input v-model="p" /> + </p> + <p v-if="ing"><button disabled>Waiting...</button></p> + <p v-if="!ing"><button v-on:click="setp">Save</button></p> + </main> + <main v-if="hasp && !localhasp"> + <p> + <label>Auth web UI</label><br /> + <input v-model="p" /> + </p> + <p v-if="ing"><button disabled>Waiting...</button></p> + <p v-if="!ing"><button v-on:click="authp">Auth</button></p> + </main> <footer> <p><a href="https://txthinking.com">txthinking.com</a> | <a href="https://github.com/txthinking">github.com/txthinking</a> | <a href="https://talks.txthinking.com">blog</a> | <a href="https://youtube.com/txthinking">youtube</a> | <a href="https://t.me/brookgroup">telegram</a> | <a href="https://t.me/txthinking_news">news</a></p> </footer>
quicserver.go+1 −1 modified@@ -45,7 +45,7 @@ type QUICServer struct { UDPServerConnFactory UDPServerConnFactory } -func NewQUICServer(addr, password, domain string, tcpTimeout, udpTimeout int, blockDomainList, blockCIDR4List, blockCIDR6List string, updateListInterval int64, blockGeoIP []string, withoutbrook bool) (*QUICServer, error) { +func NewQUICServer(addr, password, domain string, tcpTimeout, udpTimeout int, withoutbrook bool) (*QUICServer, error) { if err := limits.Raise(); err != nil { Log(&Error{"when": "try to raise system limits", "warning": err.Error()}) }
streamclient.go+5 −5 modified@@ -94,7 +94,7 @@ func NewStreamClient(network string, password []byte, src string, server net.Con } binary.BigEndian.PutUint32(c.WB[2+16:2+16+4], uint32(i)) copy(c.WB[2+16+4:2+16+4+len(dst)], dst) - if err := c.WriteL(4 + len(dst)); err != nil { + if err := c.Write(4 + len(dst)); err != nil { x.BP12.Put(c.cn) x.BP2048.Put(c.WB) return nil, err @@ -150,7 +150,7 @@ func (c *StreamClient) Exchange(local net.Conn) error { return } } - l, err := c.ReadL() + l, err := c.Read() if err != nil { return } @@ -169,14 +169,14 @@ func (c *StreamClient) Exchange(local net.Conn) error { if err != nil { return nil } - if err := c.WriteL(l); err != nil { + if err := c.Write(l); err != nil { return nil } } return nil } -func (c *StreamClient) WriteL(l int) error { +func (c *StreamClient) Write(l int) error { binary.BigEndian.PutUint16(c.WB[:2], uint16(l)) c.ca.Seal(c.WB[:0], c.cn, c.WB[:2], nil) NextNonce(c.cn) @@ -188,7 +188,7 @@ func (c *StreamClient) WriteL(l int) error { return nil } -func (c *StreamClient) ReadL() (int, error) { +func (c *StreamClient) Read() (int, error) { if _, err := io.ReadFull(c.Server, c.RB[:2+16]); err != nil { return 0, err }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vfrj-fv6p-3cpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-33965ghsaADVISORY
- github.com/txthinking/brook/commit/314d7070c37babf6c38a0fe1eada872bb74bf03eghsax_refsource_MISCWEB
- github.com/txthinking/brook/security/advisories/GHSA-vfrj-fv6p-3cpfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.