Full Report
On this past Thursday we spoke at BlackHat USA on Python Pickle. In the presentation, we covered approaches for implementing missing functionality in Pickle, automating the conversion of Python calls into Pickle opcodes, scenarios in which attacks are possible and guidelines for writing shellcode. Two tools were released: Converttopickle.py – automates conversion from Python-like statements into shellcode. Anapickle – helps with the creation of malicious pickles. Contains the shellcode library. Lastly, we demonstrated bugs in a library, a piece of security software, typical web apps, peer-to-peer software and a privesc bug on RHEL6.
Analysis Summary
# Tool/Technique: Python Pickle Exploitation (and associated tools)
## Overview
This concerns vulnerabilities and exploitation techniques related to the Python `pickle` serialization format. The presentation covered methods for implementing missing functionality within Pickle, automating the transformation of Python calls into Pickle opcodes, outlining attack scenarios, and providing guidelines for shellcode creation. Two specific tools were released to facilitate these malicious activities.
## Technical Details
- Type: Technique / Tool (Associated)
- Platform: Python environments (likely impacting general systems running Python applications that deserialize untrusted pickles)
- Capabilities: Remote Code Execution (RCE) via deserialization, automated conversion of logic to Pickle opcodes, shellcode generation.
- First Seen: August 2011 (based on the presentation date).
## MITRE ATT&CK Mapping
Since the core issue is deserialization leading to remote code execution:
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.006 - Python
- **TA0004 - Privilege Escalation** (As demonstrated by the RHEL6 privesc bug)
- T1068 - Exploitation for Privilege Escalation
## Functionality
### Core Capabilities
- **Deserialization Attacks:** Exploiting the nature of Pickle deserialization to execute arbitrary code within the context of the Python interpreter processing the malicious object.
- **Opcode Automation:** Automating the process of converting desired high-level Python execution logic into the specific sequence of Pickle opcodes required to trigger that execution during deserialization.
- **Shellcode Generation/Integration:** Providing means to generate and embed necessary shellcode within the malicious Pickle payloads.
### Advanced Features
- **Tool Integration:**
- **`Converttopickle.py`:** Automates the conversion of Python-like statements directly into executable shellcode embedded within the Pickle structure.
- **`Anapickle`:** Assists in the creation of malicious Pickle objects, notably containing a built-in shellcode library for easier payload assembly.
- **Vulnerability Demonstration:** Identifying and demonstrating practical exploitation scenarios against various targets, including standard security software, web applications, peer-to-peer software, and a specific privilege escalation bug on RHEL6.
## Indicators of Compromise
*Note: Specific IoCs for the general technique are not provided, only the output of the tools.*
- File Hashes: N/A (Tools provided, not malware samples)
- File Names: `Converttopickle.py`, `Anapickle`
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on the serialization mechanism, C2 would depend on the resulting shellcode execution.)
- Behavioral Indicators: Python processes attempting to deserialize data from untrusted sources (e.g., uploaded files, network streams) followed by unexpected system calls or process spawning indicative of executed shellcode.
## Associated Threat Actors
The tools were released by SensePost researchers (Marco) following research presented at BlackHat 2011. No nation-state or established threat group affiliation is noted in the context, though the techniques are generally applicable to attackers exploiting insecure application deserialization.
## Detection Methods
- Signature-based detection: Signatures targeting the specific malicious Pickle opcodes or constants used by these tools might be possible if the generated payloads differ significantly from benign usage.
- Behavioral detection: Monitoring Python processes for unexpected system interactions immediately following the deserialization of external Pickle data.
- YARA rules: Potentially developable for the `Anapickle` tool if its specific shellcode library leaves recognizable artifacts within generated files.
## Mitigation Strategies
- **Input Validation/Trust:** Never unpickle data received from untrusted or unauthenticated sources. The primary mitigation is treating serialized data as inherently untrustworthy.
- **Secure Deserialization:** Use safer serialization formats (e.g., JSON, XML with careful validation) instead of Pickle when dealing with external data.
- **Sandboxing/Least Privilege:** Run Python processes that handle deserialization with the absolute minimum necessary privileges.
- **Patching:** Address vulnerabilities demonstrated in third-party libraries, web applications, and operating system components (like the RHEL6 privesc bug discovered).
## Related Tools/Techniques
- Insecure Deserialization (OWASP Top 10)
- Java serialization exploits (e.g., exploiting `readObject`)
- YAML deserialization attacks