GHSA-xm59-rqc7-hhvf

Описание

Summary

On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a inkscape.bat file that defines a Windows batch script, capable of arbitrary code execution.

When a user runs jupyter nbconvert --to pdf on a notebook containing SVG output to a PDF on a Windows platform from this directory, the inkscape.bat file is run unexpectedly.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

nbconvert searches for an inkscape executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104

The MITRE page on CWE-427 (Uncontrolled Search Path Element) summarizes the root cause succinctly:

In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled:

• the directory from which the program has been loaded
• the current working directory

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

1. Create a directory containing:

   • A hidden bat file called inkscape.bat containing msg * "You've been hacked!"

   • A dummy ipynb file called Machine_Learning.ipynb

2. Run the command jupyter nbconvert --to pdf Machine_Learning.ipynb.

3. Wait a few seconds, and you should see a popup showing the message "You've been hacked!"

Impact

All Windows users.