GHSA-m7j5-r2p5-c39r

Summary

Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.

Details

The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features:

logging.FileHandler: The exploit instantiates this class using its default behavior (append mode).

Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data.

Behavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name.

PoC

import pickle

class WriteFile:
    def __reduce__(self):
        from logging import FileHandler
        return (FileHandler, ('evil.log',))

with open("bypass_write.pkl", "wb") as f:
    pickle.dump(WriteFile(), f)

handler = pickle.loads(pickle.dumps(WriteFile()))

<img width="1201" height="140" alt="313e1cfacbe700e27b6875e49808c52a" src="https://github.com/user-attachments/assets/8873bb54-0f98-41aa-8e7c-a38a245ca428" />

Impact

This primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific "lock files" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.