generated from C4T-BuT-S4D/ad-boilerplate
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
7 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,8 @@ Conveyor was a gold-related ML data and model pipeline "builder", allowing a cli | |
|
|
||
| ## RPyC 0day | ||
|
|
||
| ### Exploitation | ||
|
|
||
| Despite the RPyC config containing `allow_pickle=False` by default ([[email protected]/core/protocol.py#L63](https://github.com/tomerfiliba-org/rpyc/blob/ec5fbe51522cb6f31b43c346ba34b49b2b0dbeb6/rpyc/core/protocol.py#L63)), which does disable the pickling handler for objects ([[email protected]/core/protocol.py#L899](https://github.com/tomerfiliba-org/rpyc/blob/ec5fbe51522cb6f31b43c346ba34b49b2b0dbeb6/rpyc/core/protocol.py#L899)), unpickling is still available through the `__array__` method, which is added specifically for transfer of numpy arrays across devices with different architectures ([[email protected]/core/netref.py#L255](https://github.com/tomerfiliba-org/rpyc/blob/ec5fbe51522cb6f31b43c346ba34b49b2b0dbeb6/rpyc/core/netref.py#L255)). | ||
|
|
||
| Since the service contains a lot of logic which is directly related to working with pandas, sklearn, and numpy, it isn't difficult to find a location where this method would be used. As stated in the [numpy doc](https://numpy.org/doc/stable/reference/generated/numpy.array.html), `numpy.array` tries calling the `__array__` method during initialization, so `ModelConveyor`'s `fit_ridge` ([../../services/conveyor/conveyor/model.py#74](../../services/conveyor/conveyor/model.py#74)) method is perfect for this. | ||
|
|
@@ -22,4 +24,8 @@ class Exploit: | |
| return (__import__("builtins").eval, (self.code,)) | ||
| ``` | ||
|
|
||
| The full exploit with flag exfiltration and some interesting traffic obfuscation methods can be seen here: [./conveyor-rpyc-0day.py](./conveyor-rpyc-0day.py). To launch it, run `poetry shell`, and then `python3 conveyor-rpyc-0day.py {ip} {account_id}`. | ||
| The full exploit with flag exfiltration and some interesting traffic obfuscation methods can be seen here: [./conveyor-rpyc-0day.py](./conveyor-rpyc-0day.py). To exfiltrate the flags, placed by the checker in the dataset and model descriptions, the payload retrieves the RPyC connection from the callstack via Python's `inspect` module, and then uses it to transfer flags to the connected client without initiating extra connections. To launch it, run `poetry shell`, and then `python3 conveyor-rpyc-0day.py {ip} {account_id}`. | ||
|
|
||
| ### Fix | ||
|
|
||
| As a simple fix, the pickling logic could be removed from RPyC, since it's only present to allow transfer of numpy arrays across different Python instances, but in this case, the numpy arrays are meant to be located on the server itself. | ||