A technical write-up for a ReportLab vulnerability are now available. The vulnerability tracked as CVE-2023-33733.
Recently, during an audit of a web application, the application was found to employ the ReportLab Python library for the dynamic generation of PDF files from HTML input. An intriguing discovery was made that the library harbored a previously patched vulnerability leading to code execution. For an attacker, finding a bypass to this patch would pave the way to the rediscovery of the code execution. This becomes a matter of grave concern, especially considering the widespread use of the ReportLab library in a multitude of applications and tools.
What is the CVE-2023-33733 Vulnerability?
The vulnerability arises because it is possible to bypass sandbox restrictions on the ‘rl_safe_eval’ function. The function prevents malicious code execution.
The ‘rl_safe_eval’ function was introduced as a measure to prevent a similar remote code execution issue that was discovered in 2019; hence the researcher focused on bypassing it.
The proof of concept (PoC) demonstrates a technique where the ‘type’ function is exploited to create a new class called ‘Word,’ inheriting from the ‘str’ class. This allows bypassing safety checks and gaining access to sensitive attributes such as ‘__code__.’
By invoking ‘type’ on itself, the attacker can bypass evaluation checks restricting the number of arguments. This enables the malicious use of the original built-in ‘type’ function to create new classes and objects.
Consequently, the attacker can construct a harmful function using the bytecode of a compiled one. When executed, this function can perform arbitrary actions.
A fix was included in version 3.6.13, which was released on April 27, 2023. It is important to note that all previous versions of the library are affected by this vulnerability.