Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Mutiple Vulnerabilties In PyScript - 2022-05-11

See original GitHub issue

Description

PyScript vulnerable to below vulnerabilities:

  1. File system browsing
  2. Arbitrary file creation and python code execution

Proof of Concept:

File System Browsing

Using the glob module which is part of Python Standard Library, the Emscripten filesystem can be browsed.

Browsing ‘/’

import glob

glob.glob("/*")

Output:

['/tmp', '/home', '/dev', '/proc', '/lib']

Browsing ‘/home’

PoC:

import glob

glob.glob("/home/*")

Output:

['/home/web_user', '/home/pyodide']

Browsing ‘/lib’

PoC:

import glob

glob.glob("/lib/*")

Output:

['/lib/python3.10']

Browsing ‘/lib/python3.10/’

PoC:

import glob

glob.glob("/lib/python3.10/*")

Screenshots If applicable, add screenshots to help explain your problem.

Arbitrary File Creation and Python Code Execution

We can create and read arbitrary files in the Emscripten filesystem directories.

Proof of Concept 1

PoC showing creating a file in /tmp directory - /tmp/testfile

import glob

with open("/tmp/testfile.txt", "w") as f:
	f.write("PoC Written By Rizal aka UB3RSiCK")
	f.close()

glob.glob("/tmp/*")

Output:

['/tmp/testfile.txt']

Proof of Concept 2

Create a file in /tmp/testfile.txt with content PoC Written By Rizal aka UB3RSiCK, verifies the file creation, reads the file content and displays within a div named “SampleElement”

<html>
  <head>
    <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
    <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
  </head>
  <body> 
    	<div id="SampleElement" class="font-mono"></div>

		<py-script>
import glob

with open("/tmp/testfile.txt", "w") as f:
	f.write("PoC Written By Rizal aka UB3RSiCK")
	f.close()

glob.glob("/tmp/*")

content = ''.join(glob.glob("/tmp/*"))

with open("/tmp/testfile.txt", "r") as f:
	content = content + " : " +  f.read()
	f.close()

pyscript.write("SampleElement", content)

		</py-script> </body>
</html>

Output:

/tmp/testfile.txt : PoC Written By Rizal aka UB3RSiCK

Proof of Concept 3

Creating a python module in /lib/python3.10 and executing arbitrary python code.

<html>
  <head>
    <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
    <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
  </head>
  <body> 
    	<div id="SampleElement" class="font-mono"></div>

		<py-script>
import glob

with open("/lib/python3.10/rizalmodule.py", "w") as f:
	f.write("print('Arbitrary Python Module Creation')")
	f.close()

glob.glob("/lib/python3.10/rizalmodule.*")
		</py-script> </body>
</html>

output:

['/lib/python3.10/rizalmodule.py']

Importing the created module to execute code within.

<html>
  <head>
    <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
    <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
  </head>
  <body> 
    	<div id="SampleElement" class="font-mono"></div>

		<py-script>
import glob

with open("/lib/python3.10/rizalmodule.py", "w") as f:
	f.write("print('Arbitrary Python Module Creation')")
	f.close()

import rizalmodule

		</py-script> </body>
</html>

Output:

Arbitrary Python Module Creation

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:1
  • Comments:14 (2 by maintainers)

github_iconTop GitHub Comments

6reactions
ckavidascommented, May 11, 2022

Please see this image:

image

The “file system” you are looking at is the emscripten filesystem which is ephemeral and entirely contained in YOUR web browser. The behavior you are observing is as expected.

Here is some reading material: https://emscripten.org/docs/api_reference/Filesystem-API.html#filesystem-api

1reaction
fpligercommented, May 17, 2022

Oops, closed before adding a message 😅

This was a great thread, lots of good insights that we can use to improve things! The time issues should be upstream (so, pinging @rth and @hoodmane just for awereness) but it’s work for us to check it out anyway.

Agree with @mattkram on the docs comment. Really useful.

Thanks @Harmouch101 @ckavidas @ub3rsick @marimeireles @mattkram who chimed in!

Read more comments on GitHub >

github_iconTop Results From Across the Web

GLSA-202211-10 : Pillow: Multiple Vulnerabilities | Tenable®
The remote host is affected by the vulnerability described in GLSA-202211-10 (Pillow: Multiple Vulnerabilities)
Read more >
[security] Tools/scripts/get-remote-certificate.py is vulnerable ...
The Tools/scripts/get-remote-certificate.py script is vulnerable to shell code injection. This vulnerability was reported by Caleb Shortt ...
Read more >
Security Vulnerabilities fixed in Firefox 97 - Mozilla
#CVE-2022-0511: Memory safety bugs fixed in Firefox 97. Reporter: Mozilla developers and community; Impact: high. Description. Mozilla ...
Read more >
832598 – (CVE-2022-24303) <dev-python/pillow-9.0.1
Gentoo's Bugzilla – Bug 832598 <dev-python/pillow-9.0.1: multiple vulnerabilities Last modified: 2022-11-22 04:05:42 UTC node [gannet].
Read more >
PyScript: Debugging and Error Management Strategies
Knowing that an error occurred is the first step to preventing and solving errors. There are many types of errors that PyScript applications ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Directory recognition problem

Next page

[FEATURE] Use `script` tag instead of custom `py-script`