🐈⬛ Pain Pickle: Systemically bypassing restricted unpickle 🐈
time
06:00 ~ 06:45
site
R3
Pickle is a built-in Python module for serializing and de-serializing a Python object structure. As all of you know, it is very dangerous to unpickling any object, once you encounter a random unpickling, it means you almost get a RCE. Marco Slaviero had already published a series of methods in “Sour Pickles” from BlackHat 2011. There are consequential methods to relief, the “Restricting Globals” section of Python official documents has mentioned a standard implementation. We sometimes can also see these kinds of defenses in CTFs, but some might say “CTF isn’t real, it’s just a game!” So, how about the real world? How is everyone implementing their defense? We tried to analyze thousands of Python projects on GitHub, and found some failed implementations that had security risks.
In this session we will share some interesting cases we found, and summarize a series of bypassing methods, finally implement a tool for finding gadgets and generating corresponding exploits automatically 🐱
