Fickling Python Library Unsafe Deserialization Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A vulnerability in the Fickling Python library, specifically in versions through 0.1.5, allows unsafe pickles to be incorrectly classified as safe. This issue arises from the 'pty' module not being included in the block list of dangerous imports, enabling pickles that use 'pty.spawn()' to bypass security checks. As a result, users who rely on Fickling to analyze pickle files for security risks may inadvertently execute malicious code.
Impact
Exploitation of this vulnerability allows crafted pickle files to bypass Fickling's safety checks, leading to arbitrary code execution on the user's system.
Reproduction
The vulnerability can be reproduced by creating a pickle file that uses the 'pty' module in a way that exploits Fickling's 'unused variable' detection heuristic. This can be done by crafting a pickle that leaves a variable on the stack, which is then 'used' by the payload, tricking Fickling into marking it as 'LIKELY_SAFE'.
Remediation
Users can upgrade to Fickling version 0.1.6 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.