CVE-2023-24816
Command Injection vulnerability in ipython (PyPI)
What is CVE-2023-24816 About?
This vulnerability in IPython versions prior to 8.10.0 allows for command injection within the `set_term_title` function under specific conditions. Attackers can execute arbitrary commands by manipulating directory names if `ctypes` is unavailable and the user is tricked into changing directories into a malicious path. The impact is arbitrary command execution.
Affected Software
Technical Details
The vulnerability lies in the set_term_title function of IPython when running on Windows and the ctypes library is unavailable. In this specific scenario, a vulnerable code path is activated where the function constructs a terminal title using current directory names without proper sanitization. If an attacker can control directory names (e.g., by creating malicious directory names) and then convince a user to navigate (cd) into such a directory within an affected IPython session, the unsanitized directory name can be injected into a command executed by set_term_title. This allows for arbitrary command execution on the victim's system in the context of the IPython user.
What is the Impact of CVE-2023-24816?
Successful exploitation may allow attackers to execute arbitrary commands on the victim's system, leading to full system compromise, data theft, or further malicious activity.
What is the Exploitability of CVE-2023-24816?
Exploitation of this command injection vulnerability is specific and conditional. It requires the victim to be running an affected IPython version on Windows, and crucially, the ctypes library must not be available in their Python environment. An attacker needs to control directory names on the victim's system and then socially engineer or trick the victim into using 'cd' to navigate into a directory with a malicious name within IPython. The complexity is high due to these multiple prerequisites. It implies local access or an existing compromise to place malicious directories, or a social engineering vector to make a user download/create them. No authentication to IPython itself beyond running it is required. The risk is significantly lower if ctypes is present, effectively neutralizing the vulnerable code path.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-24816?
Available Upgrade Options
- ipython
- <8.10.0 → Upgrade to 8.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f
- https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117
- https://github.com/ipython/ipython/blob/56e6925dfa50e2c7f4a6471547b8176275db7c25/IPython/utils/_process_win32.py#L20
- https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7
- https://github.com/ipython/ipython/commit/991849c247fc208628879e7ca2923b3c218a5a75
- https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2023-17.yaml
- https://github.com/Carreau/ipython/blob/7557ade0ed927475d5ab5b573d0ea4febfb22683/docs/source/whatsnew/version8.rst#ipython-810
- https://osv.dev/vulnerability/GHSA-29gw-9793-fvw7
- https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117
- https://nvd.nist.gov/vuln/detail/CVE-2023-24816
What are Similar Vulnerabilities to CVE-2023-24816?
Similar Vulnerabilities: CVE-2022-4148 , CVE-2022-42921 , CVE-2022-41850 , CVE-2022-39294 , CVE-2022-36067
