(CVE-2024-50636) Arbitrary Code Execution in PyMOL

"This function works as it intended" - Some developers.

The content on this blog is published for educational and informational purposes only. I am sharing my analysis and research to help others learn about cybersecurity threats and defensive techniques.

Today, we will talk about Arbitrary code execution (ACE) in a legacy tool for molecular visualization system. Mostly use by biologists, biochemists and scentists.

Github repo - https://github.com/schrodinger/pymol-open-source

Official website - https://pymol.org/

This blog will be fast since it is a low hanging fruit ACE. So the methedology here to find the vulnerability is through Git dorking . It is basically similar to Google dorking but because it uses on Github. Different programming codes have their own methods to execute code. So you have to research more on this one.

However, here is a quick Git dorking search commands that I feel like it makes sense. Credited to Dub-flow.

https://github.com/dub-flow/github-dorks

Just like that

Installation

I recommended you to install PyMOL using Linux command by simply

Linux terminal:

sudo apt install PyMOL

Exploitation

To run it, type

Linux terminal:

Pymol

PyMOL tested on Ubuntu 22.04.5 LTS

Now go to File > Run Script function. Normally, to run the script, you need a file with .pym file extension. However, a normal .py file is also supported.

https://pymol.org/pymol-command-ref.html

Run Script function

Knowing that the application does support Python scripts, I decided to attempt to run a Python reverse shell script since this is Python tool and make sure to run nc -lvnp 4443

Python reverse shell script

And... easy peasy lemon squeezy ACE vulnerability.

Reverse shell terminal

I understand that the function is worked as it intended. However, in a secure design context, "neutralization" is required whenever you cross a trust boundary. For PyMOL, that boundary is between the user's local system (which might contain a malicious file) and the Python interpreter environment.

Reference(s): https://cwe.mitre.org/data/definitions/94.html

As for a mitigation, i believe that the application should warn the user that loading this file is equivalent to executing an unknown program on their device.

Conclusion

I reported this to the vendor but their response told me they see it as work as it intended. This is not the first time i experienced this. So as always I go to MITRE for help, and just like that.