#Fickling's assessment
Fickling started emitting AST nodes for builtins imports in order to match them during analysis (https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf).
Fickling works by Pickle bytecode --> AST --> Security analysis However while going from bytecode to AST, some import nodes are removed which blinds the security analysis
fickling/fickling/fickle.py
def run(self, interpreter: Interpreter):
module, attr = self.module, self.attr
if module in ("__builtin__", "__builtins__", "builtins"):
# no need to emit an import for builtins!
pass
else:
alias = ast.alias(attr)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
interpreter.stack.append(ast.Name(attr, ast.Load()))
def encode(self) -> bytes:
return f"c{self.module}\n{self.attr}\n".encode()
Here we see that no import nodes are emitted for builtins However builtins is marked as an unsafe import
fickling/fickling/analysis.py
UNSAFE_MODULES = {
"__builtin__": "This module contains dangerous functions that can execute arbitrary code.",
"__builtins__": "This module contains dangerous functions that can execute arbitrary code.",
"builtins": "This module contains dangerous functions that can execute arbitrary code.",
But because there are no import nodes for builtins (they werent emitted when making the AST), the security scanner is effectively blind.
This can allow for security bypasses like this
poc.py (script to create payload)
import os
GLOBAL = b'c' # Import module.name
STRING = b'S' # Push string
TUPLE1 = b'\x85' # Build tuple of 1
TUPLE2 = b'\x86' # Build tuple of 2
EMPTY_TUPLE = b')'
REDUCE = b'R' # Call function
PUT = b'p' # Memoize (Variable assignment)
GET = b'g' # Load from memo (Variable usage)
POP = b'0'...
0.1.7Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.9/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P