CVE-2023-34237 - Remote Code Execution Vulnerability Found in SABnzbd

SABnzbd is an open source automated Usenet download tool that has been widely used due to its ease of use and rich feature set. However, a recent design flaw was discovered in its Notification Script functionality, which could potentially lead to remote code execution (RCE) if the application is exposed to untrusted networks and appropriate security measures are not implemented. This post will discuss the details of the vulnerability, provide code snippets of affected components, link to original references, and offer mitigation strategies.

Exploit Details

The design flaw discovered in SABnzbd essentially opens up the possibility for remote code execution when the parameters in the Notification Script functionality are manipulated. This can lead to an unauthenticated attacker executing arbitrary code on the server, having the same privileges as the SABnzbd process that runs on the user's system.

The vulnerability primarily affects instances of SABnzbd with web interfaces that are accessible without authentication. By default, SABnzbd is only accessible from localhost, and no authentication is required for the web interface. However, if users have unintentionally exposed their setup to the internet or other untrusted networks without setting a username and password, remote exploitation becomes a genuine risk.

The affected component within SABnzbd is found in the following file

/path/to/sabnzbd/sabnzbd/notification.py

The vulnerable code is as follows

def notify(script, msg, *kwargs):
    script_path = sabnzbd.DIR_SCRIPT + script
    ...
    subprocess.Popen(script_path + ' ' + msg, shell=True)

In this code, the script_path variable is created by concatenating the SABnzbd script directory and the user-provided script variable. The subprocess Popen function is then used to execute the script, enabling the potential for RCE if an attacker can manipulate the script variable.

Mitigation

SABnzbd developers have addressed this issue in commits e3a722 and 422b4f. These patches have been bundled into the 4..2 release, and users are advised to upgrade as soon as possible to protect against this vulnerability. The official release announcement and download page for SABnzbd 4..2 can be found at the following link:

https://sabnzbd.org/downloads

For users who may not be able to update immediately, it is crucial to ensure that their SABnzbd instance is not exposed to the internet or any untrusted networks. To harden the security of the web interface, users should set up a username and password for authentication. Detailed instructions on how to configure this can be found in the SABnzbd documentation:

https://sabnzbd.org/wiki/configuration/2.3/configure

Conclusion

This RCE vulnerability found in SABnzbd serves as a reminder of the importance of securing applications and their interfaces when accessible from any networks. It is encouraging that the developers have promptly addressed the issue and released a patched version for the user base to upgrade. It is up to the users to update their software and take necessary precautions to safeguard their systems.

Timeline

Published on: 06/07/2023 20:15:00 UTC
Last modified on: 06/22/2023 00:05:00 UTC