CVE-2024-27758
Remote Code Execution vulnerability in rpyc (PyPI)
What is CVE-2024-27758 About?
In RPyC before version 6.0.0, a remote attacker can achieve arbitrary code execution by crafting a class that leverages a server exposing a method calling `__array__` on a client-provided netref. This allows the attacker to execute code on the server. Exploitation requires the server to expose specific functionality and a carefully constructed client object.
Affected Software
- rpyc
- >4.0.0, <6.0.0
- <6.0.0
Technical Details
The vulnerability lies in how RPyC (Remote Python Call) handles specific attribute access, particularly the __array__ method, on netref objects. When an RPyC server exposes a method that takes a client's netref object as an argument and subsequently calls a method like np.array(client_netref) (which internally invokes __array__ on the netref), a remote attacker can exploit this. The attacker can craft a custom class on their client machine that, when serialized as a netref and passed to the server, has a malicious implementation of __array__. When the server attempts to access __array__ on this netref, it will execute the attacker's supplied code within the server's context, leading to remote code execution.
What is the Impact of CVE-2024-27758?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the RPyC server process, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2024-27758?
Exploitation of this vulnerability is of moderate to high complexity. It requires the RPyC server to specifically expose a method that will call the __array__ attribute of a client-provided netref. An attacker needs to craft a custom Python class with a malicious __array__ implementation and transmit it as a netref to the server. No explicit authentication or specific privileges are required beyond the ability to connect to the RPyC server and invoke the vulnerable method. This is a remote vulnerability. Special conditions include the server's specific usage pattern that triggers the __array__ call on untrusted netrefs. Risk factors include RPyC servers that offer broad access to object methods or handle untrusted client objects without proper sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-27758?
Available Upgrade Options
- rpyc
- <6.0.0 → Upgrade to 6.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw
- https://github.com/pypa/advisory-database/tree/main/vulns/rpyc/PYSEC-2024-44.yaml
- https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911
- https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw
- https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw
- https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09
- https://github.com/tomerfiliba-org/rpyc/blob/5.3.1/rpyc/core/netref.py#L252-L255
- https://osv.dev/vulnerability/GHSA-h5cg-53g7-gqjw
- https://osv.dev/vulnerability/PYSEC-2024-44
- https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09
What are Similar Vulnerabilities to CVE-2024-27758?
Similar Vulnerabilities: CVE-2023-29467 , CVE-2022-21661 , CVE-2021-27514 , CVE-2020-10173 , CVE-2019-11267
