Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Description: JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
VulnerabilityType: CWE-502: Deserialization of Untrusted Data
Vendor of Product: http://jyaml.sourceforge.net (see yaml.org)
Affected Product Code Base: jyaml Java library
Attack Type: Remote
Impact Code execution : True
Credits: Manmeet Singh and Ashish Kukreti
Attack Vectors : The jyaml can be exploited by deserialization of malicious YAML payload with default load() function of its object. The payload can be easily generated by this payload generator:
https://github.com/mbechler/marshalsec
and passed to load function
like Object object = Yaml.load(new File("object.yml"));
it will certainly execute command.
Reference :
https://github.com/mbechler/marshalsec
https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
https://sourceforge.net/p/jyaml/bugs/
Has vendor confirmed or acknowledged the vulnerability? : Yes
Discoverer : Manmeet Singh and Ashish Kukreti
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment