oss-sec mailing list archives
CVE-2024-27322: Deserialization vulnerability in R before 4.4.0
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 29 Apr 2024 08:57:13 -0700
https://hiddenlayer.com/research/r-bitrary-code-execution/ reports:
HiddenLayer researchers have discovered a vulnerability, CVE-2024-27322, in the R programming language that allows for arbitrary code execution by deserializing untrusted data. This vulnerability can be exploited through the loading of RDS (R Data Serialization) files or R packages, which are often shared between developers and data scientists. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction.
[...]
Our team discovered that it is possible to craft a malicious RDS file that will execute arbitrary code when loaded and referenced. This vulnerability, assigned CVE-2024-27322, involves the use of promise objects and lazy evaluation in R.
[...]
After some research, we found that if we created a promise where instead of setting a symbol, we set an unbounded value, we could create a payload that would run the expression when the promise was accessed: Opcode(TYPES.PROMSXP, 0, False, False, False,None,False), Opcode(TYPES.UNBOUNDVALUE_SXP, 0, False, False, False,None,False), Opcode(TYPES.LANGSXP, 0, False, False, False,None,False), Opcode(TYPES.SYMSXP, 0, False, False, False,None,False), Opcode(TYPES.CHARSXP, 64, False, False, False,"system",False), Opcode(TYPES.LISTSXP, 0, False, False, False,None,False), Opcode(TYPES.STRSXP, 0, False, False, False,1,False), Opcode(TYPES.CHARSXP, 64, False, False, False,'echo "pwned by HiddenLayer"',False), Opcode(TYPES.NILVALUE_SXP, 0, False, False, False,None,False), Once the malicious file has been created and loaded by R, the exploit will run no matter how the variable is referenced
[...]
R’s serialization and deserialization process, which is used in the process of creating and loading RDS files and packages, has an arbitrary code execution vulnerability. An attacker can exploit this by crafting a file in RDS format that contains a promise instruction setting the value to unbound_value and the expression to contain arbitrary code. Due to lazy evaluation, the expression will only be evaluated and run when the symbol associated with the RDS file is accessed. Therefore if this is simply an RDS file, when a user assigns it a symbol (variable) in order to work with it, the arbitrary code will be executed when the user references that symbol. If the object is compiled within an R package, the package can be added to an R repository such as CRAN, and the expression will be evaluated and the arbitrary code run when a user loads that package. Given the widespread usage of R and the readRDS function, the implications of this are far-reaching. Having followed our responsible disclosure process, we have worked closely with the team at R who have worked quickly to patch this vulnerability within the most recent release – R v4.4.0.
https://stat.ethz.ch/pipermail/r-announce/2024/000701.html on April 24 announced the release of R 4.4.0 but does not mention the CVE id in the list of fixes. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2024-27322: Deserialization vulnerability in R before 4.4.0 Alan Coopersmith (Apr 29)