TensorLayer icon indicating copy to clipboard operation
TensorLayer copied to clipboard
verified publisher icon tensorlayer

Security Fix for Arbitrary Code Execution - huntr.dev

Open huntr-helper opened this issue 5 years ago • 2 comments

@d3m0n-r00t (https://huntr.dev/users/d3m0n-r00t) has fixed a potential Arbitrary Code Execution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/tensorlayer/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/tensorlayer/1/README.md

User Comments:

📊 Metadata *

Fixed Arbitrary code execution in tensorlayer

Bounty URL: https://www.huntr.dev/bounties/1-pip-tensorlayer

⚙️ Description *

TensorLayer is a novel TensorFlow-based deep learning and reinforcement learning library designed for researchers and engineers. It provides an extensive collection of customizable neural layers to build advanced AI models quickly. This package is vulnerable to Arbitrary Code Execution.

💻 Technical Description *

Use of eval() in eval_layer() function without escaping causes execution of system commands.

🐛 Proof of Concept (PoC) *

pip install tensorflow
pip install tensorlayer

from tensorlayer.files.utils import eval_layer

eval_layer({'class': 'utils.np.os.execvp', 'args': {'layer_type': 'normal', 'file': 'calc.exe', 'args': ['0']}})

OR

from tensorlayer.files.utils import eval_layer
eval_layer({'class': 'utils.np.os.system', 'args': {'layer_type': 'normal', 'command': 'calc.exe'}})

Screenshot 2021-01-27 125710

🔥 Proof of Fix (PoF) *

Screenshot 2021-01-27 124206

Screenshot 2021-01-27 125815 https://docs.python.org/3/library/ast.html#ast-helpers

👍 User Acceptance Testing (UAT)

As explained above ast.literal_eval() can only be used in common strings and not complex expressions. So not sure on how this will affect the package. However it is safer for evaluvating simple expressions.

huntr-helper avatar Feb 19 '21 07:02 huntr-helper

@d3m0n-r00t @Laicheng0830 - relates to https://github.com/tensorlayer/tensorlayer/issues/1116 and https://github.com/418sec/huntr/pull/1791.

Thanks! 🍰

JamieSlome avatar Feb 19 '21 07:02 JamieSlome

@Laicheng0830, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge.svg)](https://huntr.dev)

👇 👇 👇

huntr

JamieSlome avatar Feb 20 '21 10:02 JamieSlome