Python: New code/command execution sinks

[am0o0]

Query PR

github/codeql#15715

Language

Python

CVE(s) ID list

• CVE-2023-46134 related to pandas query function on DataFrame objects

CWE

CWE-074

Report

What is new?
JsonPickle library Code execution sinks
Pytorch library Code execution sinks
Pexpect library Command Execution and Secondary server cmd injection
AsyncSsh library Secondary server cmd injection
Netmiko library Secondary server cmd injection
Scrapli library Secondary server cmd injection
Twisted library Secondary server cmd injection
Ssh2-python library Secondary server cmd injection
pandas library DataFrame Code execution sinks

What has changed?
Upgrade paramiko query to Secondary server command execution query which attackers can execute commands on other than the primary server. it is in the experimental directory.
for the paramiko query, it has added proxyCommand as a SystemCommandExecution because it executes commands on the primary server.
Upgraded Fabric framework and added proxy_command as a SystemCommandExecution, I didn't change the sinks of this framework to Secondary server command execution because it is not in an experimental library, otherwise the run and sudo functions are SecondaryCommandInjection and local function is SystemCommandExecution. I only simplified the framework structure with new higher-level APIs and added SystemCommandExecution new sinks.

Also, I tried my best to use inline tests everywhere so you can review this PR more easily. :)

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

TBD

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[sylwia-budzynska]

Hi @am0o0

I just ran your new query and a query with a taint tracking config from remote flow sources to the new sinks on top 1000 most popular python repos, but no results were found. I also ran a sink-only query to see if the sinks are being used (without checking if user input flows into them, so these results are not vulnerabilities) and there were over 3300 results, which means those sinks do get used in these top 1000 apps.

This makes me think there could be two reasons why we are not getting results:

• we need a taint step to help reach the sinks
• the python repos that were scanned use these sinks in a secure way.

Could you have a look if there might be missing a taint step somewhere? If more TPs can't be found, the scope score for this submission will be low unfortunately

[am0o0]

Hi @sylwia-budzynska

Thank you a lot for helping and informing me to improve the query :) I'll work on improving this submission to find some results.

[am0o0]

Hi @sylwia-budzynska, for now, I found one result, But I don't know yet whether I should search only in the top 1000 repositories or not.
https://github.com/guydavis/machinaris/
I'm working on adding additional steps if I find anything related too.

[am0o0]

There is a CVE related to the pexpect sink( in the Ajenti/Ajenti repo), if I support this CVE in this submission, then does this addition help to increase the scope score?

[sylwia-budzynska]

for now, I found one result, But I don't know yet whether I should search only in the top 1000 repositories or not.
https://github.com/guydavis/machinaris/

Good catch, that improves the score 👍

There is a CVE related to the pexpect sink( in the Ajenti/Ajenti repo), if I support this CVE in this submission, then does this addition help to increase the scope score?

It won't increase the scope score significantly, but it's always good to have more sinks, so I encourage you to add it.

If you find any more repos with results, please share the databases of these repos and the query used, that speeds up a lot the work for us. Thanks!

[angelg84]

Look I don know what this is so I keep taking it off unsubscribed these but it keep pop up in my email

…

On Mon, Mar 11, 2024, 5:26 AM Sylwia Budzynska ***@***.***> wrote: for now, I found one result, But I don't know yet whether I should search only in the top 1000 repositories or not. https://github.com/guydavis/machinaris/ Good catch, that improves the score 👍 There is a CVE <https://security.snyk.io/vuln/SNYK-PYTHON-AJENTI-2866296> related to the pexpect sink( in the Ajenti/Ajenti repo), if I support this CVE in this submission, then does this addition help to increase the scope score? It won't increase the scope score significantly, but it's always good to have more sinks, so I encourage you to add it. If you find any more repos with results, please share the databases of these repos and the query used, that speeds up a lot the work for us. Thanks! — Reply to this email directly, view it on GitHub <#818 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEUDGYYS2UW2GF346FDEX2LYXWPHLAVCNFSM6AAAAABDY5DMRKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBYGMZDIMRXGE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Hello @am0o0
can you please provide me with your HackerOne email, or any other email, for bounty payment?
You can email me privately
Best regards

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2573454 for bounty 591010 : [818] Python: New code/command execution sinks

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed