Critical severity9.8NVD Advisory· Published May 7, 2024· Updated Apr 15, 2026

CVE-2024-33434

Description

An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filtering.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/tiagorlampert/CHAOSGo	< 0.0.0-20220716132853-b47438d36e3a	0.0.0-20220716132853-b47438d36e3a

Patches

b47438d36e3a

Merge pull request #95 from tiagorlampert/fix/command

https://github.com/tiagorlampert/CHAOSTiago Rodrigo LampertJul 16, 2022via ghsa

commit PR #95

25 files changed · +113 −55

cmd/chaos/main.go+4 −4 modified

@@ -9,10 +9,10 @@ import (
 	"github.com/tiagorlampert/CHAOS/infrastructure/database"
 	"github.com/tiagorlampert/CHAOS/internal/environment"
 	"github.com/tiagorlampert/CHAOS/internal/middleware"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/template"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/ui"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils/template"
+	"github.com/tiagorlampert/CHAOS/internal/utils/ui"
 	"github.com/tiagorlampert/CHAOS/repositories/sqlite"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"

delivery/http/handler.go+9 −9 modified

@@ -10,10 +10,10 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/tiagorlampert/CHAOS/delivery/http/request"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/network"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/network"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"
 	"path/filepath"
@@ -185,7 +185,7 @@ func (h *httpController) sendCommandHandler(c *gin.Context) {
 
 func (h *httpController) getCommandHandler(c *gin.Context) {
 	address := c.Query("address")
-	decoded, err := utilities.DecodeBase64(address)
+	decoded, err := utils.DecodeBase64(address)
 	if err != nil {
 		c.String(http.StatusBadRequest, err.Error())
 		return
@@ -239,11 +239,11 @@ func (h *httpController) generateBinaryPostHandler(c *gin.Context) {
 		ServerPort:    req.Port,
 		OSTarget:      system.OSTargetIntMap[osTarget],
 		Filename:      req.Filename,
-		RunHidden:     utilities.ParseCheckboxBoolean(req.RunHidden),
+		RunHidden:     utils.ParseCheckboxBoolean(req.RunHidden),
 	})
 	if err != nil {
 		h.Logger.Error(err)
-		c.String(http.StatusInternalServerError, err.Error())
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
 	c.String(http.StatusOK, binary)
@@ -274,7 +274,7 @@ func (h *httpController) fileExplorerHandler(c *gin.Context) {
 		c.String(http.StatusBadRequest, err.Error())
 		return
 	}
-	path, err := utilities.DecodeBase64(req.Path)
+	path, err := utils.DecodeBase64(req.Path)
 	if err != nil {
 		c.String(http.StatusBadRequest, err.Error())
 		return
@@ -293,7 +293,7 @@ func (h *httpController) fileExplorerHandler(c *gin.Context) {
 	}
 
 	var fileExplorer entities.FileExplorer
-	err = json.Unmarshal(utilities.StringToByte(payload.Response), &fileExplorer)
+	err = json.Unmarshal(utils.StringToByte(payload.Response), &fileExplorer)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return

internal/middleware/jwt.go+1 −1 modified

@@ -4,7 +4,7 @@ import (
 	"github.com/appleboy/gin-jwt/v2"
 	"github.com/gin-gonic/gin"
 	"github.com/tiagorlampert/CHAOS/entities"
-	jwtUtil "github.com/tiagorlampert/CHAOS/internal/utilities/jwt"
+	jwtUtil "github.com/tiagorlampert/CHAOS/internal/utils/jwt"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"
 	"time"

internal/utilities/string.go+0 −15 removed

@@ -1,15 +0,0 @@
-package utilities
-
-import "crypto/rand"
-
-const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`
-
-// GenerateRandomString generate a random string based on a given size
-func GenerateRandomString(size int) string {
-	var bytes = make([]byte, size)
-	rand.Read(bytes)
-	for i, x := range bytes {
-		bytes[i] = characters[x%byte(len(characters))]
-	}
-	return string(bytes)
-}

internal/utils/base64.go+1 −1 renamed

@@ -1,4 +1,4 @@
-package utilities
+package utils
 
 import "encoding/base64"

internal/utils/byte.go+1 −1 renamed

@@ -1,4 +1,4 @@
-package utilities
+package utils
 
 func ByteToString(value []byte) string {
 	return string(value)

internal/utils/checkbox.go+1 −1 renamed

@@ -1,4 +1,4 @@
-package utilities
+package utils
 
 func ParseCheckboxBoolean(value string) bool {
 	if value == "true" {

internal/utils/constants/constants.go+0 −0 renamed

internal/utils/image/png.go+1 −1 renamed

@@ -3,7 +3,7 @@ package image
 import (
 	"fmt"
 	"github.com/google/uuid"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
 	"os"
 )

internal/utils/jwt/jwt.go+0 −0 renamed
internal/utils/network/address.go+0 −0 renamed
internal/utils/network/http.go+0 −0 renamed

internal/utils/password.go+1 −1 renamed

@@ -1,4 +1,4 @@
-package utilities
+package utils
 
 import (
 	"golang.org/x/crypto/bcrypt"

internal/utils/string.go+35 −0 added

@@ -0,0 +1,35 @@
+package utils
+
+import (
+	"crypto/rand"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`
+
+// GenerateRandomString generate a random string based on a given size
+func GenerateRandomString(size int) string {
+	var bytes = make([]byte, size)
+	rand.Read(bytes)
+	for i, x := range bytes {
+		bytes[i] = characters[x%byte(len(characters))]
+	}
+	return string(bytes)
+}
+
+func NormalizeString(s string) (string, error) {
+	re, err := regexp.Compile(`\W`)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(re.ReplaceAllString(s, "")), nil
+}
+
+func StringIsNumber(s string) bool {
+	if _, err := strconv.Atoi(s); err == nil {
+		return true
+	}
+	return false
+}

internal/utils/system/directory.go+0 −0 renamed
internal/utils/system/os.go+0 −0 renamed
internal/utils/template/template.go+0 −0 renamed
internal/utils/ui/logo.go+0 −0 renamed

internal/utils/validation.go+17 −0 added

@@ -0,0 +1,17 @@
+package utils
+
+import (
+	"net"
+	"net/url"
+)
+
+func IsValidIPAddress(s string) bool {
+	return net.ParseIP(s) != nil
+}
+
+func IsValidURL(s string) bool {
+	if _, err := url.ParseRequestURI(s); err != nil {
+		return false
+	}
+	return true
+}

services/auth_service.go+3 −3 modified

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/repositories"
 	"strings"
 )
@@ -47,7 +47,7 @@ func (s authService) Setup() (*entities.Auth, error) {
 		if hasProvidedSecretKey {
 			dummyAuth.SecretKey = s.secretKey
 		} else {
-			dummyAuth.SecretKey = utilities.GenerateRandomString(secretKeySize)
+			dummyAuth.SecretKey = utils.GenerateRandomString(secretKeySize)
 		}
 		return &dummyAuth, s.authRepository.Insert(dummyAuth)
 	}
@@ -74,7 +74,7 @@ func (s authService) RefreshSecret() (string, error) {
 	}
 	if err := s.authRepository.Update(entities.Auth{
 		DBModel:   auth.DBModel,
-		SecretKey: utilities.GenerateRandomString(secretKeySize),
+		SecretKey: utils.GenerateRandomString(secretKeySize),
 	}); err != nil {
 		return "", err
 	}

services/client.go+7 −1 modified

@@ -2,7 +2,8 @@ package services
 
 import (
 	"context"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"errors"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 )
 
 type (
@@ -21,6 +22,11 @@ type (
 	}
 )
 
+var (
+	ErrInvalidServerAddress = errors.New("the server address provided is invalid")
+	ErrInvalidServerPort    = errors.New("the server port provided is invalid")
+)
+
 type Client interface {
 	SendCommand(ctx context.Context, input SendCommandInput) (SendCommandOutput, error)
 	BuildClient(BuildClientBinaryInput) (string, error)

services/client_service.go+23 −9 modified

@@ -4,11 +4,11 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/uuid"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/image"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/jwt"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/image"
+	"github.com/tiagorlampert/CHAOS/internal/utils/jwt"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 	repo "github.com/tiagorlampert/CHAOS/repositories"
 	"os/exec"
 	"strings"
@@ -38,7 +38,7 @@ func NewClient(
 }
 
 func (c clientService) SendCommand(ctx context.Context, input SendCommandInput) (SendCommandOutput, error) {
-	addr, err := utilities.DecodeBase64(input.MacAddress)
+	addr, err := utils.DecodeBase64(input.MacAddress)
 	if err != nil {
 		return SendCommandOutput{}, fmt.Errorf(`error decoding base64: %w`, err)
 	}
@@ -60,7 +60,7 @@ func (c clientService) SendCommand(ctx context.Context, input SendCommandInput)
 		}
 	}
 
-	res := utilities.ByteToString(payload.Response)
+	res := utils.ByteToString(payload.Response)
 	if payload.HasError {
 		return SendCommandOutput{}, fmt.Errorf(res)
 	}
@@ -77,7 +77,7 @@ func HandleResponse(payload *PayloadData) (*PayloadData, error) {
 		if err != nil {
 			return nil, err
 		}
-		payload.Response = utilities.StringToByte(file)
+		payload.Response = utils.StringToByte(file)
 		break
 	default:
 		return payload, nil
@@ -86,13 +86,27 @@ func HandleResponse(payload *PayloadData) (*PayloadData, error) {
 }
 
 func (c clientService) BuildClient(input BuildClientBinaryInput) (string, error) {
+	if !utils.IsValidIPAddress(input.ServerAddress) &&
+		!utils.IsValidURL(input.ServerAddress) {
+		return "", ErrInvalidServerAddress
+	}
+
+	if !utils.StringIsNumber(input.ServerPort) {
+		return "", ErrInvalidServerPort
+	}
+
+	filename, err := utils.NormalizeString(input.Filename)
+	if err != nil {
+		return "", err
+	}
+
 	token, err := c.GenerateNewToken()
 	if err != nil {
 		return "", err
 	}
 
 	const buildStr = `GO_ENABLED=1 GOOS=%s GOARCH=amd64 go build -ldflags '%s -s -w -X main.Version=%s -X main.ServerPort=%s -X main.ServerAddress=%s -X main.Token=%s -extldflags "-static"' -o ../temp/%s main.go`
-	filename := handleFilename(input.OSTarget, input.Filename)
+	filename = handleFilename(input.OSTarget, filename)
 	buildCmd := fmt.Sprintf(buildStr, handleOSType(input.OSTarget), runHidden(input.RunHidden), c.appVersion, input.ServerPort, input.ServerAddress, token, filename)
 	cmd := exec.Command("sh", "-c", buildCmd)
 	cmd.Dir = "client/"

services/device_service.go+2 −2 modified

@@ -3,7 +3,7 @@ package services
 import (
 	"errors"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/repositories"
 	"time"
 )
@@ -30,7 +30,7 @@ func (d deviceService) FindAll() ([]entities.Device, error) {
 		return nil, err
 	}
 	for index, device := range devices {
-		devices[index].MacAddressBase64 = utilities.EncodeBase64(device.MacAddress)
+		devices[index].MacAddressBase64 = utils.EncodeBase64(device.MacAddress)
 	}
 	return devices, nil
 }

services/user_service.go+5 −5 modified

@@ -2,7 +2,7 @@ package services
 
 import (
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	repo "github.com/tiagorlampert/CHAOS/repositories"
 )
 
@@ -24,7 +24,7 @@ func (u userService) Login(username, password string) bool {
 	if err != nil {
 		return false
 	}
-	return utilities.PasswordsMatch(user.Password, password)
+	return utils.PasswordsMatch(user.Password, password)
 }
 
 func (u userService) Insert(input entities.User) error {
@@ -42,11 +42,11 @@ func (u userService) UpdatePassword(input UpdateUserPasswordInput) error {
 	if err != nil {
 		return err
 	}
-	if !utilities.PasswordsMatch(user.Password, input.OldPassword) {
+	if !utils.PasswordsMatch(user.Password, input.OldPassword) {
 		return ErrInvalidPassword
 	}
 
-	passwordHash, err := utilities.HashAndSalt(input.NewPassword)
+	passwordHash, err := utils.HashAndSalt(input.NewPassword)
 	if err != nil {
 		return err
 	}
@@ -63,7 +63,7 @@ func (u userService) CreateDefaultUser() error {
 		return err
 	}
 
-	passwordHash, err := utilities.HashAndSalt(defaultPassword)
+	passwordHash, err := utils.HashAndSalt(defaultPassword)
 	if err != nil {
 		return err
 	}

web/static/js/app/generate.js+2 −1 modified

@@ -21,7 +21,7 @@ async function GenerateBinary() {
         .then(response => {
             if (!response.ok) {
                 return response.text().then(err => {
-                    throw new Error(err.message);
+                    throw new Error(err);
                 });
             }
             return response.text();
@@ -32,6 +32,7 @@ async function GenerateBinary() {
         })
         .catch(err => {
             console.log('Error: ', err);
+            Swal.close();
             ShowNotification('danger', 'Ops!', 'Failed building client binary.\n' + JSON.parse(err.message).error)
         });
 }

24c9e109b5be

https://github.com/tiagorlampert/CHAOSTiago Rodrigo LampertJul 8, 2022via ghsa

commit

1 file changed · +1 −3

internal/utils/validation.go+1 −3 modified

@@ -10,9 +10,7 @@ func IsValidIPAddress(s string) bool {
 }
 
 func IsValidURL(s string) bool {
-	u, err := url.ParseRequestURI(s)
-	_ = u
-	if err != nil {
+	if _, err := url.ParseRequestURI(s); err != nil {
 		return false
 	}
 	return true

1b451cf62582

validate input values