logo

Database

Server side template injection In pyload-ng

Description

pyload-ng vulnerable to RCE with js2py sandbox escape

Summary

Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

Details

js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.

PoC

The PoC is provided as poc.py below, you can modify the shell command it execute:

import socket
import base64
from urllib.parse import quote

host, port = input("host: "), int(input("port: "))

payload = """
// [+] command goes here:...

Impact

Anyone who runs the latest version (<=0.5.0b3.dev85) of pyload-ng under python3.11 or below. pyload-ng doesn't use js2py for python3.12 or above.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-392052. NVD-2024-392053. OSV-2024-392054. GHSA-r9pp-r4xf-597r5. GHSA-h95x-26f3-88hr6. GCVE-2024-39205

References

1. https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r2. https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape3. https://github.com/Marven11/CVE-2024-39205-Pyload-RCE4. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.