ghsa-hjq6-52gw-2g7p
Vulnerability from github
Published
2024-04-10 17:07
Modified
2024-04-10 19:05
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
Details

Summary

The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables.

Support for output template expansion in --exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11.

```cmd

yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q" [youtube] Extracting URL: https://youtu.be/42xO6rVqf2E [youtube] 42xO6rVqf2E: Downloading webpage [youtube] 42xO6rVqf2E: Downloading ios player API JSON [youtube] 42xO6rVqf2E: Downloading android player API JSON [youtube] 42xO6rVqf2E: Downloading m3u8 information [info] 42xO6rVqf2E: Downloading 1 format(s): 18 [download] Destination: %CMDCMDLINE:~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4 [download] 100% of 126.16KiB in 00:00:00 at 2.46MiB/s [Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe" "" pwned ```

Patches

yt-dlp version 2024.04.09 fixes this issue by properly escaping %. It replaces them with %%cd:~,%, a variable that expands to nothing, leaving only the leading percent.

Workarounds

It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.

For Windows users who are not able to upgrade: - Avoid using any output template expansion in --exec other than {} (filepath). - If expansion in --exec is needed, verify the fields you are using do not contain %, ", | or &. - Instead of using --exec, write the info json and load the fields from it instead.

Details

When escaping variables, the following code is used for Windows. yt_dlp/compat/__init__.py line 31-33 python def compat_shlex_quote(s): import re return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""') It replaces " with "" to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the %CMDCMDLINE% variable can be used to generate a quote using %CMDCMDLINE:~-1%; since the value of %CMDCMDLINE% is the commandline with which cmd.exe was called, and it is always called with the command surrounded by quotes, %CMDCMDLINE:~-1% expands to ". After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed: cmd %CMDCMDLINE:~-1%&calc.exe

References

  • https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
  • https://nvd.nist.gov/vuln/detail/CVE-2024-22423
  • https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
  • https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "yt-dlp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2021.04.11"
            },
            {
              "fixed": "2024.04.09"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:07:09Z",
    "nvd_published_at": "2024-04-09T18:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe [patch that addressed CVE-2023-40581](https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e) attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes.\nHowever, this escaping is not sufficient, and still allows expansion of environment variables.\n\nSupport for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version [2021.04.11](https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11).\n\n```cmd\n\u003e yt-dlp \"https://youtu.be/42xO6rVqf2E\" --ignore-config -f 18 --exec \"echo %(title)q\"\n[youtube] Extracting URL: https://youtu.be/42xO6rVqf2E\n[youtube] 42xO6rVqf2E: Downloading webpage\n[youtube] 42xO6rVqf2E: Downloading ios player API JSON\n[youtube] 42xO6rVqf2E: Downloading android player API JSON\n[youtube] 42xO6rVqf2E: Downloading m3u8 information\n[info] 42xO6rVqf2E: Downloading 1 format(s): 18\n[download] Destination: %CMDCMDLINE\uff1a~-1%\u0026echo pwned\u0026calc.exe [42xO6rVqf2E].mp4\n[download] 100% of  126.16KiB in 00:00:00 at 2.46MiB/s\n[Exec] Executing command: echo \"%CMDCMDLINE:~-1%\u0026echo pwned\u0026calc.exe\"\n\"\"\npwned\n```\n\n### Patches\nyt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent.\n\n### Workarounds\nIt is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.\n\nFor Windows users who are not able to upgrade:\n- Avoid using any output template expansion in `--exec` other than `{}` (filepath).\n- If expansion in `--exec` is needed, verify the fields you are using do not contain `%`, `\"`, `|` or `\u0026`.\n- Instead of using `--exec`, write the info json and load the fields from it instead.\n\n### Details\nWhen escaping variables, the following code is used for Windows.\n[`yt_dlp/compat/__init__.py` line 31-33](https://github.com/yt-dlp/yt-dlp/blob/8e6e3651727b0b85764857fc6329fe5e0a3f00de/yt_dlp/compat/__init__.py#L31-L33)\n```python\n    def compat_shlex_quote(s):\n        import re\n        return s if re.match(r\u0027^[-_\\w./]+$\u0027, s) else s.replace(\u0027\"\u0027, \u0027\"\"\u0027).join(\u0027\"\"\u0027)\n```\nIt replaces `\"` with `\"\"` to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the `%CMDCMDLINE%` variable can be used to generate a quote using `%CMDCMDLINE:~-1%`; since the value of `%CMDCMDLINE%` is the commandline with which `cmd.exe` was called, and it is always called with the command surrounded by quotes, `%CMDCMDLINE:~-1%` expands to `\"`. After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:\n```cmd\n%CMDCMDLINE:~-1%\u0026calc.exe\n```\n\n### References\n- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-22423\n- https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09\n- https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a",
  "id": "GHSA-hjq6-52gw-2g7p",
  "modified": "2024-04-10T19:05:52Z",
  "published": "2024-04-10T17:07:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yt-dlp/yt-dlp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/123335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.