Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

FIX Arbitrary Code Execution in - dnsrobortcert#1

Open
b1nslashsh wants to merge 1 commit into
418sec:masterfrom
b1nslashsh:patch-1
Open

FIX Arbitrary Code Execution in - dnsrobortcert#1
b1nslashsh wants to merge 1 commit into
418sec:masterfrom
b1nslashsh:patch-1

Conversation

@b1nslashsh
Copy link
Copy Markdown

@b1nslashsh b1nslashsh commented Feb 9, 2021
edited
Loading

📊 Metadata *

DNSroboCert is designed to manage Let's Encrypt SSL certificates based on DNS challenges which is vulnerable to Arbitrary Code Execution.

Bounty URL:

https://www.huntr.dev/bounties/1-pip-dnsrobocert

⚙️ Description *

changeing Fullloader to Safeloader in config.py will fix this issue

💻 Technical Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

🐛 Proof of Concept (PoC) *

Installation

pip install dnsrobocert
Run exploit.py

import os
#os.system('pip install dnsrobocert')
from dnsrobocert.core import config
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(exploit)
config.load('config.yml')

python3 exploit.py
The calc will poo

🔥 Proof of Fix (PoF) *

The Arbitrary code Execution has fixed👍

👍 User Acceptance Testing (UAT)

Yaml load working perfectly after FiX ,👍

🔗 Relates to...

https://www.huntr.dev/bounties/1-pip-dnsrobocert

@huntr-helper
Copy link
Copy Markdown

huntr-helper commented Feb 9, 2021

👋 Hello, @adferrand - @b1nslashsh has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@adferrand & @b1nslashsh - thank you for your efforts in securing the world’s open source code! 🎉

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Feb 9, 2021
Added fix submission to FixSubmissionCount for 418sec/dnsrobocert#1
cb37b77
@b1nslashsh
Copy link
Copy Markdown
Author

b1nslashsh commented Feb 22, 2021
edited
Loading

hey @adferrand any update on this?

regards,
muhaimin

@adferrand
Copy link
Copy Markdown

adferrand commented Feb 22, 2021

Sorry I am on holidays for now, I will look at it next week.

@b1nslashsh
Copy link
Copy Markdown
Author

b1nslashsh commented Mar 8, 2021

Sorry I am on holidays for now, I will look at it next week.

thats great 👍🏻

@b1nslashsh
Copy link
Copy Markdown
Author

b1nslashsh commented Apr 12, 2021

Sorry I am on holidays for now, I will look at it next week.

Hey @adferrand ,
hope you are doing well
Any updates on this sorry for disturbing you

Regrads muhaimin

@Anon-Artist
Copy link
Copy Markdown

Anon-Artist commented Apr 28, 2021

Hi @adferrand hope you are doing well
Have you considered this issue,
I saw a new release on your repo and the new release is also vulnerable to the same bug

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@b1nslashsh @huntr-helper @adferrand @Anon-Artist