WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Code injection via pickle module #137

New issue
New issue
Open
Open
Code injection via pickle module#137
@partywavesec

Description

@partywavesec
partywavesec
opened on Jan 28, 2025

It's possible to inject code via pickle module by using artifacts from older python2 release.

How to reproduce

  1. Create the payload using pickle
  2. Use module with unsafe load combined with user input, such as medpy_intensity_range_standardization.py
  3. The standard execution will crash probably at the next operations but the injection is triggered at load time

Impact

Code execution and command injection

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions