Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Arbitrary Code Execution - huntr.dev #1120

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

@d3m0n-r00t (https://huntr.dev/users/d3m0n-r00t) has fixed a potential Arbitrary Code Execution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/tensorlayer/1/README.md

User Comments:

📊 Metadata *

Fixed Arbitrary code execution in tensorlayer

Bounty URL: https://www.huntr.dev/bounties/1-pip-tensorlayer

⚙️ Description *

TensorLayer is a novel TensorFlow-based deep learning and reinforcement learning library designed for researchers and engineers. It provides an extensive collection of customizable neural layers to build advanced AI models quickly. This package is vulnerable to Arbitrary Code Execution.

💻 Technical Description *

Use of eval() in eval_layer() function without escaping causes execution of system commands.

🐛 Proof of Concept (PoC) *

pip install tensorflow
pip install tensorlayer
from tensorlayer.files.utils import eval_layer

eval_layer({'class': 'utils.np.os.execvp', 'args': {'layer_type': 'normal', 'file': 'calc.exe', 'args': ['0']}})

OR

from tensorlayer.files.utils import eval_layer
eval_layer({'class': 'utils.np.os.system', 'args': {'layer_type': 'normal', 'command': 'calc.exe'}})

Screenshot 2021-01-27 125710

🔥 Proof of Fix (PoF) *

Screenshot 2021-01-27 124206

Screenshot 2021-01-27 125815
https://docs.python.org/3/library/ast.html#ast-helpers

👍 User Acceptance Testing (UAT)

As explained above ast.literal_eval() can only be used in common strings and not complex expressions. So not sure on how this will affect the package. However it is safer for evaluvating simple expressions.

@JamieSlome
Copy link

JamieSlome commented Feb 19, 2021

@d3m0n-r00t @Laicheng0830 - relates to #1116 and 418sec/huntr#1791.

Thanks! 🍰

@JamieSlome
Copy link

@Laicheng0830, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge.svg)](https://huntr.dev)

👇 👇 👇

huntr

@Laicheng0830 Laicheng0830 self-requested a review February 23, 2021 00:47
@Laicheng0830 Laicheng0830 self-requested a review February 23, 2021 03:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants