Skip to content

Remote code execution via specially crafted settings

Moderate
Safihre published GHSA-9x87-96gg-33w2 Aug 1, 2020

Package

SABnzbd

Affected versions

2.0.0RC1 - 2.3.9 (non-Windows only)

Patched versions

> 3.0.0Beta4

Description

Description

A vulnerability was discovered in SABnzbd that could allow remote code execution. The isFAT() function in checkdir.py did not properly validate input, causing specially crafted Completed Download Folder settings to lead to code execution with the privileges of the SABnzbd process.

The vulnerability was discovered and disclosed by Michael Anastasakis. Further investigation by the SABnzbd Team revealed a similar issue with the Nice and IONice Parameters settings.

Impact

Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from localhost, with no authentication required for the web interface.

Note: Windows is not affected, nor are setups (regardless of operating system) that have their Config pages locked down by the special config_lock option.

Patches

Patched in dfcba6e and 73d3f7b. These were released as part of SABnzbd 3.0.0.

Workarounds

Set a username and password to prevent unauthorized access to the web interface and/or update to a fixed version.

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2020-13124

Weaknesses

No CWEs