Code execution vulnerability discovered in ReportLab Python library

Target Industry

Indiscriminate, opportunistic attacks.

Overview

An independent researcher has discovered the capability to execute remote code due to a bug in ReportLab’s Python for creating Adobe PDFs. This library was exploited before, back in 2019, where it was discovered that code execution was possible through the colour attribute of HTML tags.

When code is executed, it is first checked using the ‘__rl_is_allowed_name__’ function. But if a class is constructed in a particular way it allows the creation of arbitrary code to be executed which will go unchecked.

A proof-of-concept (PoC) was created which has demonstrated that the vulnerability poses a real threat in potentially acting as an initial access point for an attack. This vulnerability is currently tracked and has been sent to ReportLab’s developers who have deployed a patch as of 27th April 2023 in order to prevent its implementation.

Impact

If this vulnerability is successfully exploited, it would allow threat actors to execute malicious code that could be used for further exploitation by launching an attack through the deployment of malware or the installation of a backdoor.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as remote code execution vulnerabilities. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

Programmes using ReportLab.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Use of external libraries should be limited and any in use should be regularly reviewed to ensure that programmes are not made vulnerable due to errors made by the creators of the libraries.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Remote code execution (RCE) type attacks have been popular for an extensive period due to their effectiveness and abundance as vulnerable programmes will commonly contain insecure classes and functions that allow direct execution of code. The effectiveness of RCE attacks stems from the wide range of available forms and the ability to directly manipulate a system through a vulnerable programme commonly without requiring a compromise of the victim’s network.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Initial Access

T0819 – Exploit Public-Facing Application

T0862 – Supply Chain Compromise

Further Information

Code Injection Vulnerability In ReportLab Python Library