-
-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefinitionContainerUnpickler
is Bypassable
#802
Comments
Thanks for the analysis!
Something like this perhaps? 96e245d |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
We have a
DefinitionContainerUnpickler
to provide a safe way to deserialize. But the whitelist seems not really safe and basically bypassable.How to Bypass (PoC)
It allows several classes here, it checks strictly but still have a gadgets there:
Uranium/UM/Settings/DefinitionContainerUnpickler.py
Lines 3 to 10 in 851c722
I found a gadget in
UM.Settings.SettingFunction.SettingFunction
.First thing we need to know is that pickle is not only able to call a function, but also can set attribute to any object. So we can modify the
_code
attribute ofSettingFunction
instance, then it'll get compiled and eval without checked by the ast checker (_SettingExpressionVisitor
).Uranium/UM/Settings/SettingFunction.py
Lines 155 to 157 in 851c722
Here is a pseudocode for pickle:
I use my toy compiler to generate the pickle bytecode. Exploits should execute a Python code:
__import__('os').system('id')
.PoC:
Bytecode is generated by command:
python pickora.py -c "from UM.Settings.DefinitionContainer import DefinitionContainer; from UM.Settings.SettingFunction import SettingFunction; s = SettingFunction('1'); s._valid = True; s._code = '__import__(\"os\").system(\"id\")'; s(DefinitionContainer('dummy'))"
The Proper Way?
Check the
safe_globals
more strictly (?)Or just for this case, maybe we should also check the
_code
attribute by_SettingExpressionVisitor
when__setstate__
.The text was updated successfully, but these errors were encountered: