Home page logo

oss-sec logo oss-sec mailing list archives

Re: Good news and bad news on Python sockets and pickle
From: gremlin () gremlin ru
Date: Sat, 19 Jul 2014 10:00:47 +0400

On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:

I looked for cases where pickle.loads is used on untrusted data,
the good news is didn't find many, the main two uses cases were
taking data from zeroMQ and memcached and then unpickling it,
looks like those would be compromised in any event if malicious
data got in there, let alone RCE type stuff.
So here is my question, is all pickle.loads from things like
memcached (which has no auth) generally CVE worthy? If so I can
post a list of the potentials, I'll be honest, I'm to lazy to
go digging through it (I'm not sure how many uses shared/public
memcached configs/etc.).

All these issues aren't related to pickle.loads - they are just the
ordinary use of untrusted data (which itself may worth a CVE).

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]