ASTEVAL Arbitrary Code Execution Vulnerability via Controlled Input
Vulnerability
A vulnerability in the ASTEVAL library, prior to version 1.0.6, allows for arbitrary execution of Python code. This issue arises when an attacker can manipulate input to the library, bypassing its restrictions. The vulnerability is linked to how ASTEVAL handles 'FormattedValue' Abstract Syntax Tree (AST) nodes. Specifically, the 'on_formattedvalue' method utilizes the 'format' function of the str class, which can be exploited to access protected attributes by triggering an 'AttributeError' and capturing the exception to retrieve sensitive object properties.
Impact
Exploitation of this vulnerability allows for arbitrary code execution in the context of the application using the ASTEVAL library.
Reproduction
The vulnerability can be reproduced by creating an instance of the ASTEVAL Interpreter and passing a crafted string that exploits the 'on_formattedvalue' method. This crafted string should manipulate the format specification to access protected attributes, triggering an 'AttributeError' which can then be caught and used to access sensitive object properties. A proof-of-concept is available that demonstrates this exploitation by executing the 'whoami' command on the host machine.
Remediation
Users are advised to update to ASTEVAL version 1.0.6 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.