excited hacker

A researcher has published a functional exploit for a remote code execution (RCE) flaw affecting ReportLab Toolkit, a popular Python library used by many projects to generate PDF files from HTML input.

The proof-of-concept (PoC) exploit for the flaw, tracked as CVE-2023-33733, has been published yesterday on GitHub as well as a debrief that provides technical details about the vulnerability, increasing the likelihood of exploitation in the wild.

ReportLab Toolkit is used by several projects as a PDF library and contains about 3.5 million monthly downloads on PyPI (Python package index).

Bypass old patch

The problem stems from the ability to bypass sandbox restrictions on ‘rl_safe_eval’, whose role is to prevent the execution of malicious code, leading the attacker to access potentially dangerous Python built-in functions.

The ‘rl_safe_eval’ function was introduced as a measure to prevent a similar remote code execution issue that was discovered in 2019; therefore, the researcher focused on circumventing it.

The presented PoC retrieves the built-in “type” function which helps to create a new class named “Word”, which inherits from the “str” ​​class, which can bypass security checks and provide access to sensitive attributes like “code”.

Then ‘type’ is called on itself to bypass secure evaluation checks for argument count restrictions, allowing the attacker to abuse the original, built-in ‘type’ function to create new classes and new items.

This leads to constructing a malicious function from the bytecode of a compiled function, which when executed can perform an arbitrary action. In the researcher example, it calls an operating system command to create a file named ‘exploited’ in the “/tmp/” directory.

The researcher notes that the entire exploit code must be executed with eval in a single expression, so he uses the “list comprehension” trick to structure it as such.

Exploit for CVE-2023-33733
Exploit for CVE-2023-33733 (GitHub)

Cure53 researcher Elyas Damej warns in his article that exploiting CVE-2023-33733 is as simple as embedding malicious code in an HTML file that will be converted to PDF on software using the ReportLab library.

Example of malicious HTML triggering the flaw in xhtml2pdf
Example of malicious HTML triggering the flaw in xhtml2pdf (GitHub)

Widespread use of the library and a public exploit put many users at risk. ISVs using the library can manage the resulting supply chain risk by applying the available security update.

Damej told BleepingComputer that the issue was reported to the developers at ReportLab when it was discovered and a fix was provided with it. version 3.6.13released on April 27, 2023.

The researcher clarified that the vulnerability affects all earlier versions of the library.


Source link