Tautulli Remote Code Execution Vulnerability via Sandboxed eval() Bypass

A remote code execution vulnerability exists in Tautulli versions prior to 2.17.0. The issue arises in the str_eval() function within notification_handler.py, where a sandboxed eval() for notification text templates is implemented. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, this method is flawed, as co_names only includes names from the outer code object. When a lambda expression is utilized, it generates a nested code object, with attribute accesses stored in code.co_consts instead of co_names. Consequently, the sandbox fails to inspect nested code objects, allowing for exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the server where Tautulli is running.

Reproduction

To reproduce this vulnerability, enable the 'NOTIFY_TEXT_EVAL' feature in the Tautulli admin settings. Then, configure a notification template that includes a backtick-delimited lambda expression designed to access the 'os' module and execute a command, such as 'id'. Once the template is set, trigger a notification event, which will cause the eval sandbox to be bypassed and the specified OS command to be executed on the server.

Remediation

Users are advised to update Tautulli to version 2.17.0 or later, where this vulnerability has been patched.