pyLoad Path Traversal Vulnerability in Upload Endpoint Allows Arbitrary File Write

A path traversal vulnerability has been identified in the pyLoad download manager, specifically in version 0.5.0b3.dev89. The vulnerability exists within the '/json/upload' endpoint, where an authenticated attacker can manipulate the filename of uploaded files to traverse out of the designated upload directory. This exploitation enables the attacker to write arbitrary files to any location on the system that the pyLoad process can access. The consequences of this vulnerability could include remote code execution, local privilege escalation, system-wide compromise, and the potential for persistence and backdoors.

Impact

Exploitation of this vulnerability could lead to remote code execution, local privilege escalation, a system-wide compromise, and the introduction of persistent backdoors, according to the advisory.

Reproduction

To reproduce this vulnerability, first log into the application to obtain a session token. Then, create a malicious cron payload that, when executed, will download and execute a script from an external server. Upload a file through the '/json/upload' endpoint, using a filename that includes path traversal sequences to escape the intended directory and write the file to a location such as '/etc/cron.d/' where it can be executed as a cron job. Once the file is uploaded, the payload will be executed according to the cron schedule.

Remediation

Users can upgrade to pyLoad version 0.5.0b3.dev90, where this vulnerability has been patched.