Lacking authentication on harmful API endpoint
The flaw is moderately simple and stems from the truth that one API endpoint known as /api/v1/validate/code had lacking authentication checks and handed code to the Python exec operate. Nonetheless, it didn’t run exec instantly on capabilities, however on operate definitions, which make capabilities obtainable for execution however don’t execute their code.
Due to this, the Horizon3.ai researchers needed to provide you with an alternate exploitation technique leveraging a Python characteristic known as decorators, which “are capabilities that return capabilities that wrap different capabilities.”
The proof-of-concept printed by Horizon3.ai on April 9 leverages decorators to realize distant code execution, however the researchers word {that a} third-party researcher additionally achieved the identical by abusing one other characteristic of Python capabilities known as default arguments.
