NASA RtRetrievalFramework CVE-2018-1000048 Remote code execution


I would like to report a remote code execution potential vulnerability in Singledop. Pickle module enables binary serialization and loading of Python datatypes and any user supplied sample file can lead to remote code execution on any researches machine processing a serialized file.

screen shot 2016-11-30 at 3 53 07 pm

Attack binary a valid dop file:


The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Written by 95CN

Comments are closed.