[issue40039] [CVE-2020-10796] Python multiprocessing Remote Code Execution vulnerability
Change by Junyu Zhang : -- components: Library (Lib) files: Python-multiprocessing-RCE-vulnerability.pdf nosy: Junyu Zhang priority: normal severity: normal status: open title: [CVE-2020-10796] Python multiprocessing Remote Code Execution vulnerability type: security versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8 Added file: https://bugs.python.org/file48994/Python-multiprocessing-RCE-vulnerability.pdf ___ Python tracker <https://bugs.python.org/issue40039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue40039] [CVE-2020-10796] Python multiprocessing Remote Code Execution vulnerability
New submission from Junyu Zhang : description: When we were using python to develop a distributed process service, I noticed that the default serialization parameter of Manager and ManagerBase in multiprocessing was pickl, and it didn't seem to be mentioned in the official website's documentation. This is unsafe unless our server is completely You can trust recv data, but if authkey is not set or leaked, it will cause RCE on the server side, so I applied for a CVE-ID to remind everyone to use this security issue. For details of the vulnerability and the poc code, please refer to the pdf file. -- ___ Python tracker <https://bugs.python.org/issue40039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue40039] [CVE-2020-10796] Python multiprocessing Remote Code Execution vulnerability
Junyu Zhang added the comment: Thank you for your reply, this report is indeed the situation prompted by the warning. There will be few problems in the single-machine deployment mode. Of course, it is also possible to take advantage of the possibility of elevation of privilege. In the distributed deployment mode, the client script is leaked. The resulting authkey leak will also cause RCE problems. I have an idea. If ManagerBase can allow users to customize the serialization operation, it may be greatly relieved. Your suggestion is that I need to submit this to secur...@python.org Report it? -- ___ Python tracker <https://bugs.python.org/issue40039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue40039] [CVE-2020-10796] Python multiprocessing Remote Code Execution vulnerability
Junyu Zhang added the comment: Thank you for your reply. Yes, under normal circumstances, keys are generally not leaked. I may have only considered the following attacks at the time: 1. If the client script of the distributed process is on another machine, or the key is leaked due to accidental leak. 2. When the attacker has obtained some server permissions, but not the highest permissions, and this distributed service process runs with the highest management permissions, and the attacker has read permissions to the script code, this may cause a Simple elevation. Of course, after thinking about it carefully, I found that the above problem is just a conjecture, so now I have decided to give up reporting it as CVE, unless I find such a situation. -- ___ Python tracker <https://bugs.python.org/issue40039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
