pyLoad Remote Code Execution Vulnerability via Unrestricted Reconnect Script Configuration

A remote code execution vulnerability exists in pyLoad versions 0.4.0 prior to 0.5.0b3.dev97. The issue arises in the `set_config_value()` API endpoint, where users with non-admin SETTINGS permission can modify configuration options without restriction. Specifically, the `reconnect.script` option, which controls a file path executed by `subprocess.run()` in the thread manager's reconnect logic, can be set to any executable file on the system. This vulnerability allows for arbitrary code execution, as the only validation in `set_config_value()` is a hardcoded check for the `general.storage_folder` option. All other security-critical settings, including `reconnect.script`, can be modified freely. The vulnerability has been patched in pyLoad version 0.5.0b3.dev97.

Impact

Exploitation of this vulnerability allows for remote code execution on the server as the pyLoad process user. Additionally, it could lead to privilege escalation, as the SETTINGS permission is not expected to grant such capabilities. Furthermore, it allows for exposure of sensitive credentials and modification of critical network settings.

Reproduction

To reproduce this vulnerability, first authenticate as a user with SETTINGS permission and obtain a session cookie. Then, use the `set_config_value()` API endpoint to set the `reconnect.script` option to an executable file path. After that, enable the reconnect feature and set a timing window for execution. The arbitrary script will execute when the thread manager calls the `try_reconnect()` method, which includes the `subprocess.run(reconnect_script)` command that executes the attacker-controlled file path.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev97 or later. For those unable to update, consider removing or restricting the SETTINGS permission for users who do not require it.