AI-Powered Cyberattacks: How to Detect, Prevent & Defend Against Intelligent Threats

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

Analyzing the CVE-2023-33733 Vulnerability with MetaDefender Core

by OPSWAT
Share this Post
Lead security researchers discussing the CVE-2023-33733 vulnerability
OPSWAT Fellowship Program Participants

The rapid rise of technology has created a high demand for skilled developers. Open-source software (OSS) has become a vital tool for this growing workforce. Hundreds of thousands of well-established OSS packages now exist across various programming languages. Over 90% of developers leverage these open-source components within their proprietary applications, highlighting the efficiency and value proposition of OSS. Further emphasizing its importance, the global OSS market is expected to reach $80.7 billion by 2030, reflecting a projected growth rate of 16.7% annually. 

However, the widespread adoption of OSS also introduces a new layer of complexity: security vulnerabilities. The vast number of interconnected OSS components creates a broader attack surface for malicious actors to exploit. Managing dependencies across various OSS packages can be complex, making it difficult to identify and patch vulnerabilities promptly. Additionally, the security of OSS often relies on the vigilance and contributions of the developer community. This can lead to delays in patching vulnerabilities, especially for less popular projects.  

In this article, OPSWAT Graduate Fellows examine CVE-2023-33733, a security flaw discovered in the popular open-source library ReportLab. Their analysis is coupled with a simulated attack that leverages MetaDefender Core with its Software Bill of Materials (SBOM) capabilities to identify vulnerabilities in an application's dependencies, including the vulnerable ReportLab library. 

Reportlab Library Introduction

ReportLab illustration

ReportLab, a powerful and open-source Python library, empowers users to generate feature-rich PDFs from Python code. It offers developers a winning combination: flexibility, ease of use, and extensive customization options for creating dynamic documents. The library gives developer-enhanced control over their PDFs, allowing for the precise incorporation of text, images, tables, and charts with meticulous precision. This level of customization makes ReportLab a valuable tool for generating dynamic documents such as invoices and data-driven reports. 

CVE-2023-33733 Background

CVE-2023-33733 highlights a security vulnerability within the ReportLab library, impacting multiple versions of the ReportLab Library.

  • ReportLab versions prior to version 3.6.13 were found to be vulnerable to sandbox evasion, specifically within the 'rl_safe_eval' function. Exploitation was achieved through the color attribute of HTML tags, which was directly assessed as a Python expression using the eval() function, ultimately leading to remote code execution. 
  • NVD Analysts assigned a CVSS score of 7.8 HIGH to CVE-2023-33733. 
CVSS 3.x severity and metrics showing a base score of 7.8 for CVE-2023-33733, categorized as high risk.

Analysis of ReportLab Security Vulnerability

OPSWAT Graduate Fellows conducted a deep analysis of ReportLab workflow, identifying the root cause of the CVE-2023-33733 security vulnerability.

The ReportLab Library Workflow 

ReportLab empowers developers to create PDFs efficiently. The library allows for effortless integration: import the library, define the HTML content, and generate the PDF in a single line of code using the result function. 

Python code demonstrating the creation of a simple document template using the ReportLab library

Our graduate fellows uncovered a 5-step process for creating PDFs from HTML with ReportLab. 

Diagram illustrating the process flow from input HTML to output PDF using ReportLab and associated functions

Within the 5-step process for creating PDFs from HTML with ReportLab, three main processes stand out: paragraph processing, paraparser processing, and the HTML handling process. 

Screenshot of a debugging process highlighting the HTML handling, paragraph process, and paraparser process in a Python script

As illustrated in the figure above, the HTML handling process within ReportLab utilizes the eval() function specifically on color attribute. Serving as a focal point for executing malicious code, the eval() function prompts researchers to seek control over its input to exploit the application. However, this is challenging due to the sandbox enforced by the __rl_safe_eval__ function within ReportLab. 

Code snippet showing a safe evaluation function with checks for allowed methods and timeouts
Security Vulnerability in ReportLab Analysis 

ReportLab has implemented a sandbox called __rl_safe_eval__. This sandbox excludes all built-in Python functions and includes several overridden built-in functions. This restriction allows the execution of safe code within the library while preventing access to dangerous functions and libraries that could be used for malicious purposes (e.g. file system access, network communication). 

The rl_safe_eval sandbox function implements various conditions to ensure the invoked attribute is safe before using Python’s built-in getattr() function to retrieve it and return the result. 

Code example demonstrating a function that checks if method names are allowed within a security context

The safe eval function aims to secure the environment by excluding dangerous functions and preventing malicious actions. However, if a way is found to bypass its conditions and access a powerful built-in function, it could be exploited.  

Building on this idea, the security researchers attempted to bypass the restrictions. Initially, they exploited object injection using the type() function to construct an object and redefine its attributes and methods to circumvent the checks within __rl_safe_eval__. Furthermore, as the ReportLab library overrides built-in functions and makes them as globals into the eval context, the researcher could leverage this implementation to access one of the original built-in functions. This could  enable them to bypass the sandbox environment and execute malicious code. 

Code snippet demonstrating the redefinition of built-in functions

The payload is prepared as follows: 

Code example showing an attacker class and a global attribute exploitation

Nevertheless, executing a multiline expression within an eval context is not possible. However, a list comprehension trick can be employed, and the payload to exploit this CVE is as follows: 

Complex code structure illustrating the exploitation of CVE-2023-33733

ReportLab Exploitation Simulation 

Researchers have published a Proof of Concept (POC) for CVE-2023-33733, demonstrating that applications built with vulnerable versions of ReportLab could be susceptible to cyberattacks. To assess this potential threat, OSPWAT Graduate Fellows conducted a simulated attack on a web application. They leveraged MetaDefender Core with SBOM capabilities to identify the security vulnerabilities within the application software dependencies, including the presence of the affected ReportLab library. 

Simulate The Security Vulnerability 

To simulate this exploitation as a real-world scenario, OPSWAT Graduate Fellows developed a web application using Python and the vulnerable version of the ReportLab library. This application mimics a typical use case: users can upload an HTML file and convert it into a PDF file. 

Screenshot of a malicious file uploader interface prompting to browse a file for upload

An attacker could craft a malicious HTML file containing code designed to exploit CVE-2023-33733. This code could bypass the sandbox and compromise the web server by triggering a reverse shell through the eval() function.  

Code snippet showing a command injection attack in progress

A successful upload of malicious file would allow the attacker to take control of the application server due to the vulnerability in the outdated ReportLab library. 

Malicious file uploader displaying evil.html uploaded
Terminal displaying an active reverse shell

The Importance of SBOM and Proactive Security 

The OPSWAT Graduate Fellows' research on CVE-2023-33733 underscores the potential security risks associated with OSS. While OSS offers undeniable benefits in terms of development efficiency and cost-effectiveness, vulnerabilities like the one found in ReportLab can leave organizations exposed to cyberattacks. 

OPSWAT SBOM 

OPSWAT SBOM secures the software supply chain by providing a comprehensive component inventory for source code and containers. It supports 10+ languages, including Java, JavaScript, Go, PHP, and Python, over 5M+ third-party open-source software components, and utilizes a database of 17K+ vulnerabilities sourced from the National Vulnerability Database (NVD) and GitHub (GHSA). 

MetaDefender Core security dashboard displaying a blocked file and its vulnerability analysis

OPSWAT MetaDefender Core, with its integrated SBOM capabilities, empowers organizations to proactively address these risks. MetaDefender Core scans software applications and dependencies, identifying the presence of known vulnerabilities like CVE-2023-33733 within the listed components. This allows developers and security teams to prioritize patching efforts and mitigate security risks before they can be exploited. 

MetaDefender Core security dashboard showing detailed vulnerability scan results for CVE-2023-33733

Closing Thoughts

The OPSWAT Graduate Fellows' research on the ReportLab vulnerability (CVE-2023-33733) serves as a valuable reminder of the importance of proactive security measures in the software development lifecycle. By leveraging tools like OPSWAT MetaDefender Core, organizations can gain crucial insights into their software dependencies and identify potential vulnerabilities before they are exploited by attackers. 

Furthermore, OPSWAT offers a comprehensive suite of cybersecurity solutions that go beyond vulnerability scanning.  These solutions provide real-time threat detection, data security, and endpoint protection, safeguarding organizations from a wide range of cyber threats. By adopting a layered security approach that includes tools like MetaDefender Core, organizations can leverage the benefits of OSS while minimizing the associated security risks. 

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.