Python Yaml Deserialization

Yaml Deserialization

Yaml python libraries is also capable to serialize python objects and not just raw data:

print(yaml.dump(str("lol")))
lol
...

print(yaml.dump(tuple("lol")))
!!python/tuple
- l
- o
- l

print(yaml.dump(range(1,10)))
!!python/object/apply:builtins.range
- 1
- 10
- 1

Check how the tuple isn’t a raw type of data and therefore it was serialized. And the same happened with the range (taken from the builtins).

safe_load() or safe_load_all() uses SafeLoader and don’t support class object deserialization. Class object deserialization example:

python

The previous code used unsafe_load to load the serialized python class. This is because in version >= 5.1, it doesn’t allow to deserialize any serialized python class or class attribute, with Loader not specified in load() or Loader=SafeLoader.

Basic Exploit

Example on how to execute a sleep:

python

Vulnerable .load("<content>") without Loader

Old versions of pyyaml were vulnerable to deserialisations attacks if you didn't specify the Loader when loading something: yaml.load(data)

You can find the description of the vulnerability here. The proposed exploit in that page is:

yaml

Or you could also use this one-liner provided by @ishaack:

yaml

Note that in recent versions you cannot no longer call .load() without a Loader and the FullLoader is no longer vulnerable to this attack.

RCE

Custom payloads can be created using Python YAML modules such as PyYAML or ruamel.yaml. These payloads can exploit vulnerabilities in systems that deserialize untrusted input without proper sanitization.

python

Tool to create Payloads

The tool https://github.com/j0lt-github/python-deserialization-attack-payload-generator can be used to generate python deserialization payloads to abuse Pickle, PyYAML, jsonpickle and ruamel.yaml:

bash

References

PreviousExploiting __VIEWSTATE without knowing the secretsNextJNDI - Java Naming and Directory Interface & Log4Shell

Last updated