Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fixed Arbitary Code Execution Bug in Konsave#2

Open
Anon-Artist wants to merge 1 commit into418sec:masterfrom
Anon-Artist:master
Open

Fixed Arbitary Code Execution Bug in Konsave#2
Anon-Artist wants to merge 1 commit into418sec:masterfrom
Anon-Artist:master

Conversation

@Anon-Artist
Copy link

@Anon-Artist Anon-Artist commented Mar 10, 2021

📊 Metadata *

konsave is a CLI program that will let you save and apply your KDE Plasma customizations with just one command , which is vulnerable to Arbitary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-pypi-Konsave

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Installation

pip install konsave

Copy conf.yaml to konsave directory

conf.yaml

payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""

Then run the command below

  • konsave -s test

This will create a profile along with it code execution will occur

POC

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix Arbitary Code Execution will never happen.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://nvd.nist.gov/vuln/detail/CVE-2021-27213
https://snyk.io/vuln/SNYK-PYTHON-QLIB-1054635

@huntr-helper
Copy link

huntr-helper commented Mar 10, 2021

👋 Hello, @Prayag2. @Anon-Artist has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@Prayag2 - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

@Anon-Artist
Copy link
Author

Anon-Artist commented Mar 18, 2021

@Prayag2 If you are interested on the fix please comment. 💯

@huntr-helper - LGTM

@Anon-Artist
Copy link
Author

Anon-Artist commented Apr 23, 2021
edited
Loading

Thanks @Prayag2 for fixing the bug yourself
https://github.com/Prayag2/konsave/blob/master/konsave/funcs.py#126
New version released 🍔
What you think @JamieSlome

Here is the changelog
https://github.com/Prayag2/konsave/blob/master/CHANGELOG.md

@Prayag2
Copy link

Prayag2 commented Apr 23, 2021

No, it is me who should thank you for letting me know about this vulnerability! Thank you so much!

@JamieSlome
Copy link

JamieSlome commented Apr 25, 2021

@Anon-Artist - thanks for the heads up! 👋

We will reward you for the disclosure bounty in this instance - great work all!

I have updated our database to reflect this valid vulnerability + the disclosure bounty reward.

Cheers! 🍰

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Anon-Artist @huntr-helper @Prayag2 @JamieSlome