GHSA-3f7w-p8vr-4v5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-3f7w-p8vr-4v5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3f7w-p8vr-4v5f/GHSA-3f7w-p8vr-4v5f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3f7w-p8vr-4v5f
Aliases
  • CVE-2024-32880
Published
2024-04-24T21:16:59Z
Modified
2024-04-26T19:01:08.261944Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
pyLoad allows upload to arbitrary folder lead to RCE
Details

Summary

An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution

Details

example version: 0.5 file:src/pyload/webui/app/blueprints/app_blueprint.py

@bp.route("/render/<path:filename>", endpoint="render")
def render(filename):
    mimetype = mimetypes.guess_type(filename)[0] or "text/html"
    data = render_template(filename)
    return flask.Response(data, mimetype=mimetype)

So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render_template func will works like SSTI(server-side template injection) when render the evil file we control.

in /settings page and the choose option general/general, where we can change the download folder. image

Also, we can find the pyLoad install folder in /info page image So, we can change the value of Download folder to the template path. Then through /json/add_package we can upload a crafted template file to RCE.

@bp.route("/json/add_package", methods=["POST"], endpoint="add_package")
# @apiver_check
@login_required("ADD")
def add_package():
    api = flask.current_app.config["PYLOAD_API"]

    package_name = flask.request.form.get("add_name", "New Package").strip()
    queue = int(flask.request.form["add_dest"])
    links = [l.strip() for l in flask.request.form["add_links"].splitlines()]
    pw = flask.request.form.get("add_password", "").strip("\n\r")

    try:
        file = flask.request.files["add_file"]

        if file.filename:
            if not package_name or package_name == "New Package":
                package_name = file.filename

            file_path = os.path.join(
                api.get_config_value("general", "storage_folder"), "tmp_" + file.filename
            )
            file.save(file_path)
            links.insert(0, file_path)

    except Exception:
        pass

    urls = [url for url in links if url.strip()]
    pack = api.add_package(package_name, urls, queue)
    if pw:
        data = {"password": pw}
        api.set_package_data(pack, data)

    return jsonify(True)

PoC

First login into the admin page, then visit the info page to get the path of pyload installation folder. Second, change the download folder to PYLOADINSTALLDIR/ webui/app/templates/ Third, upload crafted template file through /json/addpackage through parameter addfile the content of crafted template file and its filename is "341.html":

{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('whoami').read()")}}

image Last, visit http://TARGET/render/tmp_341.html to trigger the RCE image image

Impact

It is a RCE vulnerability and I think it affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must with extension ".js" . The render js code in version 0.4.20:

@route("/media/js/<path:re:.+\.js>")
def js_dynamic(path):
    response.headers['Expires'] = time.strftime("%a, %d %b %Y %H:%M:%S GMT",
                                                time.gmtime(time.time() + 60 * 60 * 24 * 2))
    response.headers['Cache-control'] = "public"
    response.headers['Content-Type'] = "text/javascript; charset=UTF-8"

    try:
        # static files are not rendered
        if "static" not in path and "mootools" not in path:
            t = env.get_template("js/%s" % path)
            return t.render()
        else:
            return static_file(path, root=join(PROJECT_DIR, "media", "js"))
    except:
        return HTTPError(404, "Not Found")
References

Affected packages

PyPI / pyload-ng

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.5.0

Affected versions

0.*

0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31
0.5.0b3.dev32
0.5.0b3.dev33
0.5.0b3.dev34
0.5.0b3.dev35
0.5.0b3.dev38
0.5.0b3.dev39
0.5.0b3.dev40
0.5.0b3.dev41
0.5.0b3.dev42
0.5.0b3.dev43
0.5.0b3.dev44
0.5.0b3.dev45
0.5.0b3.dev46
0.5.0b3.dev47
0.5.0b3.dev48
0.5.0b3.dev49
0.5.0b3.dev50
0.5.0b3.dev51
0.5.0b3.dev52
0.5.0b3.dev53
0.5.0b3.dev54
0.5.0b3.dev57
0.5.0b3.dev60
0.5.0b3.dev62
0.5.0b3.dev64
0.5.0b3.dev65
0.5.0b3.dev66
0.5.0b3.dev67
0.5.0b3.dev68
0.5.0b3.dev69
0.5.0b3.dev70
0.5.0b3.dev71
0.5.0b3.dev72
0.5.0b3.dev73
0.5.0b3.dev74
0.5.0b3.dev75
0.5.0b3.dev76
0.5.0b3.dev77
0.5.0b3.dev78
0.5.0b3.dev79
0.5.0b3.dev80
0.5.0b3.dev81
0.5.0b3.dev82