[issue41208] An exploitable segmentation fault in marshal module

Change by STINNER Victor : -- resolution: not a bug -> duplicate superseder: -> Pickle crashes unpickling invalid NEWOBJ_EX opcode ___ Python tracker ___

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: @serhiy.storchaka Thank you. Please find it here https://bugs.python.org/issue41288 . -- ___ Python tracker ___

[issue41208] An exploitable segmentation fault in marshal module

Serhiy Storchaka added the comment: Thank you. Indeed, it is a pickle specific crash. Please open a new issue and I'll provide a fix. -- ___ Python tracker ___

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: @serhiy.storchaka you name it, you have it. The following code generates a segfault on the Pickle module [it's a crafted datetime object] (Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2): import io import pickle

[issue41208] An exploitable segmentation fault in marshal module

Serhiy Storchaka added the comment: It depends. pickle is not vulnerable to the kind of error reported in this issue. If you find some way to crash Python specific to pickle it will likely be fixed if it is possible without significant performance or memory cost. If it depends on arbitrary

[issue41208] An exploitable segmentation fault in marshal module

Christian Heimes added the comment: Linux containers like Docker are not a security boundary. They are a merely a mechanism to package, deliver, and run software. Dan Walsh coined the phrase "Containers Don't Contain" a while ago. It's possible to tighten security of containers. This starts

[issue41208] An exploitable segmentation fault in marshal module

STINNER Victor added the comment: This bug tracker is not the right place to report issues of third party web services. I don't see anything wrong with Python according to Python Threat Model: https://python-security.readthedocs.io/security.html#python-security-model That's why pickle starts

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: There are many online Python interpreters, we can use this malicious file to escape their sandboxes and get control of their Docker container or system (and abuse them, for example, to conduct a DoS attack), as their fully trust that Python doesn't

[issue41208] An exploitable segmentation fault in marshal module

STINNER Victor added the comment: By design, it is trivial to run arbritrary Python code using pickle. There is no need to exploit a segfault for that. -- ___ Python tracker

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: Nevertheless, I have an exploitable crash for the Pickle module too right now, but as you're not interested, I didn't open an issue to share it. Thanks anyway. -- ___ Python tracker

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: Sure. Thank you. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue41208] An exploitable segmentation fault in marshal module

Christian Heimes added the comment: That line in Ray Project is a potential arbitrary code execution vulnerability. If an attacker is able to inject a custom pickle stream, then they can easily take over the service. Please report the issue to the project. It might be a simple score of a

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: It's interesting that you would not count a critical segfault in Pickle as a threat, because there are numerous libraries that are Unpickling untrusted user data (even-though some of them are using RestrictedUnpickler to protect themselves but a segfault

[issue41208] An exploitable segmentation fault in marshal module

Serhiy Storchaka added the comment: In this particular case unmarshalling creates a tuple containing a reference to itself which is used as a key in a dict. Calculating a hash of such tuple leads to infinite recursion which overflows the programming stack. There is no efficient way to

[issue41208] An exploitable segmentation fault in marshal module

Christian Heimes added the comment: Yes, it's like pickle, but it is not like you think. The pickle module has a similar security disclaimer, https://docs.python.org/dev/library/pickle.html . We might agree to fix segfaults in unpickler code if the fix is simple and does not cause backwards

[issue41208] An exploitable segmentation fault in marshal module

Serhiy Storchaka added the comment: No, unlike to marshal the pickle format is a Turing-complete language. Just loading pickle data can cause to execution of arbitrary code. marshal is more "safe" in this regard -- in worst case you can just crash when load it. It may be interesting to make

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: I thought it's like Pickle. Then if we find an exploitable segfault just in Pickle, you would count it as a threat? -- ___ Python tracker

[issue41208] An exploitable segmentation fault in marshal module

Christian Heimes added the comment: Python's thread model is: If an attacker can create a malicious PYC file and feed it to a Python process, then they already have full code execution privileges. There is no need to exploit a segfault. Because the marshal module should only be used for PYC

[issue41208] An exploitable segmentation fault in marshal module

STINNER Victor added the comment: Python doesn't implement any protection against invalid PYC files to avoid any performance overhead at runtime. Maybe we can close this issue as WONTFIX. -- ___ Python tracker

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: What about patching that as a crash? -- ___ Python tracker ___ ___ Python-bugs-list mailing

[issue41208] An exploitable segmentation fault in marshal module

Iman Sharafodin added the comment: By using our proprietary fuzzer. I'm a cybersecurity researcher. -- ___ Python tracker ___ ___

[issue41208] An exploitable segmentation fault in marshal module

STINNER Victor added the comment: According to the Python Security Model, this issue is not security vulnerability: (*) https://python-security.readthedocs.io/security.html#python-security-model The marshal is not intended to be used to load untrusted code. That's why its documentation

[issue41208] An exploitable segmentation fault in marshal module

Serhiy Storchaka added the comment: How did you get this file? -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue41208] An exploitable segmentation fault in marshal module

Change by Antoine Pitrou : -- nosy: +serhiy.storchaka, vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue41208] An exploitable segmentation fault in marshal module

New submission from Iman Sharafodin : It seems that all versions of Python 3 are vulnerable to de-marshaling the attached file (Python file is included). I've tested on Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2. This is due to lack of proper