New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary Code Execution in Microsoft/qlib #1329
Conversation
|
@B3EF this seems like an issue in a known vulnerable dependency of the project, rather than a vulnerability in the project itself. Closing for now, but please let me know if you feel differently. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @mzfr , |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@B3EF This is not an issue with the qlib but instead the dependency used in that project i.e pyyaml[1] & ruamel[2].
Also you can see that the exploit that you are passing is getting loaded by the
yamlpackage here.So pyyaml is the real culprit behind this issue.
I think @B3EF is right
All the deserialization bugs occurs because the deserializer used allows, when user-input is supplied and not checked, to run malicious code. The pyyaml library for example allows to use the safe_load function which is better to handle user input of this type.
In this case the fault isn't of the deserialization library, which can handle every input with load but of the projects who's not using the safe_load alternative. It could be possible also restrict through a overriding class in case some attributes (malicious) need to be handled by the qlib library.
Cheers,
Mik
Description
Arbitrary Code Excecution in microsoft/qlib.
Qlib is an AI-oriented quantitative investment platform, which aims to realize the potential, empower the research, and create the value of AI technologies in quantitative investment.
Technical Description
This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load() in yaml
Exploit code
Python File
POC
code execution
README.mdandvulnerability.jsonfiles