Exploit launched for RCE flaw in fashionable ReportLab PDF library

Excited Hacker

A researcher has printed a working exploit for a distant code execution (RCE) flaw impacting ReportLab Toolkit, a well-liked Python library utilized by quite a few initiatives to generate PDF information from HTML enter.

The proof-of-concept (PoC) exploit for the flaw, tracked as CVE-2023-33733, was printed yesterday on GitHub together with a write-up that gives technical particulars in regards to the vulnerability, thus rising the chance of in-the-wild exploitation.

ReportLab Toolkit is utilized by a number of initiatives as a PDF library and has roughly 3.5 million month-to-month downloads on PyPI (Python Package deal Index).

Bypassing previous repair

The issue stems from the flexibility to bypass sandbox restrictions on ‘rl_safe_eval,’ whose position is to forestall malicious code execution, resulting in the attacker accessing doubtlessly harmful Python built-in capabilities.

The ‘rl_safe_eval’ operate was launched as a measure to forestall an identical distant code execution challenge that was found in 2019; therefore the researcher targeted on bypassing it.

The offered PoC retrieves the built-in ‘kind’ operate that helps create a brand new class named ‘Phrase,’ which inherits from the ‘str’ class, which may bypass security checks and provides entry to delicate attributes like ‘code.’

Subsequent, ‘kind’ is named on itself to get round secure eval checks regarding argument depend restrictions, permitting the attacker to abuse the unique, built-in ‘kind’ operate for creating new lessons and objects.

This results in establishing a malicious operate from the bytecode of a compiled one, which, when executed, could carry out an arbitrary motion. Within the researcher’s instance, it calls an OS command to create a file referred to as ‘exploited’ within the “/tmp/” listing.

The researcher notes that your complete exploit code have to be run with eval in a single expression, so it makes use of the ‘checklist comprehension’ trick to construction it as such.

Exploit for CVE-2023-33733
Exploit for CVE-2023-33733 (GitHub)

The Cure53 researcher, Elyas Damej, warns in his write-up that the exploitation of CVE-2023-33733 is so simple as incorporating malicious code in an HTML file that shall be transformed to PDF on software program that makes use of the ReportLab library.

Example of a malicious HTML triggering the flaw in xhtml2pdf
Instance of a malicious HTML triggering the flaw in xhtml2pdf (GitHub)

The widespread use of the library and a public exploit places many customers in danger. Software program distributors utilizing the library can tackle the ensuing provide chain danger by making use of the out there safety replace.

Damej advised BleepingComputer that the problem was reported to ReportLab’s builders upon discovery, and a repair got here with model 3.6.13, launched on April 27, 2023. 

The researcher clarified that the vulnerability impacts all earlier variations of the library.

Leave a Reply

Your email address will not be published. Required fields are marked *