CVE-2024-28397 Scanner

Pyload is a free and open-source download manager application used to automate downloading from sources such as one-click hosters, container files, or just plain HTTP/FTP links. It's commonly utilized by users who need to organize and manage multiple downloads at a time, ensuring tasks run without manual oversight. The tool is web-based, allowing for remote access and management. It can perform file management functions like file merging, renaming, and extraction automatically. Pyload's plugin-based architecture allows integration with additional services or customization according to user demand. It is particularly popular among users who wish to streamline their downloading process with additional automation features.

The remote code execution vulnerability in pyload, specifically affecting the js2py module, allows attackers to execute arbitrary code. This flaw comes from the misuse of the js2py.disable_pyimport() component which doesn't properly sanitize API calls. By exploiting this vulnerability, malicious users can craft API requests that run undesired code on the server where pyload is hosted. Such remote code execution vulnerabilities can often lead to significant security breaches if not addressed, allowing for a wide range of malicious activities. The flaw compromises system integrity by allowing unauthorized users to inject and execute code. This poses a risk to the data an organization or individual may store or process using pyload.

The vulnerability lies in the js2py component of pyload, where improper validation in the disable_pyimport() function allows execution of arbitrary code via crafted API calls. Attackers exploit this by injecting JavaScript code which circumvents security checks and gains access to underlying system resources. The vulnerable endpoint is the '/flash/addcrypted2' API route which accepts parameters such as 'package' and 'crypted'. Here, malicious commands can be embedded in the payload causing the server to interpret and execute these commands. The lack of stringent input validation or sandboxing amplifies the risk, enabling attackers to escalate payload execution beyond intended boundaries. Successful exploitation could yield unauthorized shell access or further injection into critical system processes.

If exploited, this vulnerability allows attackers to perform arbitrary operations on the affected server. Systems may be subject to exploitation leading to unauthorized access, data corruption, or extraction. Attackers could deploy additional malicious payloads, leveraging the system to attack other network segments or external systems. In worst-case scenarios, it could render the affected service inoperable or compromise system confidentiality by exposing sensitive data. Administrators may lose control over their servers or devices, leading to broader network penetration and spread of malware. Overall, it poses a significant threat to both system stability and data security.

REFERENCES

• https://github.com/advisories/GHSA-r9pp-r4xf-597r
• https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape