erdogant pypickle Remote Code Execution Vulnerability via Insecure Deserialization

A remote code execution vulnerability has been identified in the erdogant pypickle library, specifically in versions up to and including 1.1.5. The issue arises in the load function of pypickle.py, where data is deserialized using Python's pickle.load() without proper validation or sanitization. This flaw allows an attacker to execute arbitrary code by supplying a malicious pickle file. Although local access is required to exploit this vulnerability, the potential impact includes remote code execution and compromise of the affected system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the vulnerable pypickle library is used.

Reproduction

To reproduce this vulnerability, first clone the pypickle repository and navigate to the directory. Then, create a malicious pickle file named 'malicious.pkl' using a Python script that exploits the insecure deserialization. This script should be crafted to execute a command, such as opening the calculator application on Windows or Linux. After generating the malicious pickle file, run a Python script that loads this file using the vulnerable pypickle library. The execution of the command embedded in the pickle file will demonstrate the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to pypickle version 2.0.0 or later, where this vulnerability has been addressed.