4 matches found
Incomplete List of Disallowed Inputs
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the checksafety function. An attacker can trigger outbound TCP connections during deserialization by crafting malicious pick...
Fickling ไปฃ็ ้ฎ้ขๆผๆด
Fickling is an open source decompiler and static analyzer for Python by Trail of Bits. A code issue vulnerability exists in versions of Fickling prior to 0.1.7 that stems from not explicitly blocking the ctypes and pydoc modules, which could lead to remote code execution...
Fickling vulnerable to detection bypass due to "builtins" blindness
Fickling's assessment Fickling started emitting AST nodes for builtins imports in order to match them during analysis https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf. Original report Summary Fickling works by Pickle bytecode -- AST -- Security analysis...
Deserialization of Untrusted Data
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the runpy module. An attacker can execute arbitrary code by supplying a malicious pickle file that uses runpy.runpath or...