AI PRP: Pickle deserialization on recv_pyobj method of pyZMQ pacakge

[mr-mosi]

Hello,
This is related to this recent blog post that we can expend the vulnerable instances to all kind of application which are using the recv_pyobj method on an open TCP socket.

TLDR: the recv_pyobj sends the received TCP message to a pickle deserialize method which is unsafe and leads to code injection.

references:
https://pyzmq.readthedocs.io/en/latest/howto/morethanbindings.html#builtin-serialization
https://pyzmq.readthedocs.io/en/latest/api/zmq.html#zmq.Socket.recv_pyobj

a simple example can be this:
a pyZMQ server:

import zmq

# Create a ZeroMQ context
context = zmq.Context()

# Create a REP (Reply) socket
socket = context.socket(zmq.REP)

# Bind the socket to a TCP address
socket.bind("tcp://*:5555")  # Listen on port 5555

print("Server is listening on tcp://*:5555...")

while True:
    try:
        # Receive a Python object
        received_obj = socket.recv_pyobj()
        print(f"Received object: {received_obj}")

        # Send a response back to the client
        response = f"Server received: {received_obj}"
        socket.send_pyobj(response)

    except KeyboardInterrupt:
        print("Server shutting down...")
        break

# Clean up
socket.close()
context.term()

a client simply pickle the exploit object and send it through the TCP socket.
I'm not sure, but for writing a python tsunami plugin we maybe need to add a pypi package too. i don't know if this is possible or not.

[tooryx]

Hi @mr-mosi,

Could you provide a bit more details on how you would identify a vulnerable service? Would you just send the pickle exploit to every TCP service? Which for us, would be considered a bit too aggressive/prone to denial of service.

~tooryx

[mr-mosi]

@tooryx Hii

fortunately, nmap can detect the zmq protocol.

i tested it on the example server above in the issue description and nmap detect the open port as zeromq.