TensorFlow Python Code Injection: More eval() Woes
Background
JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped withTensorFlow, a popular Machine Learning platform that’s widely used in the industry. The issue has been assigned toCVE-2021-41228.
Read more about our previous, similar disclosure in Yamale in our previousblog post.
The injection issue
The issue lies in thesaved_model_clitool, which is used to save a model’s state.
An attacker that can control the contents of the--input_examplesargument, can provide a malicious input that runs arbitraryPython code.
The underlying issue lies in thepreprocess_input_examples_arg_stringfunction:
def preprocess_input_examples_arg_string(input_examples_str): input_dict = preprocess_input_exprs_arg_string(input_examples_str) ...which callspreprocess_input_exprs_arg_string, that contains the vulnerable call:
def preprocess_input_exprs_arg_string(input_exprs_str): input_dict = {} for input_raw in filter(bool, input_exprs_str.split(';')): ... input_key, expr = input_raw.split('=', 1) # ast.literal_eval does not work with numpy expressions input_dict[input_key] = eval(expr) # pylint: disable=eval-used return input_dictIn our case,input_exprs_stris the user’s input coming from the command line argument.
We can see that arbitrary input is flowing toeval, which leads to code injection.
Since the--input_examplesoption takes only a list of dictionaries, it is unexpected by the end-user (and undocumented by the vendor) that arbitrary input can lead to code injection.
TensorFlow’s fix
The issue was fixed inTensorFlow 2.7.0, we urge anyone using thesaved_model_clitool to upgrade to this version.
Since the--input_examplesoption should only accept a list of dictionaries, the eval call was replaced with a call tojson.loads, which accepts a list of dictionaries and is safe for use with arbitrary unfiltered input.
Can we exploit it remotely?
As mentioned in our previous blogpost , these issues might be remotely exploitable (in a reasonable scenario) in the context of aparameter injectionattack.See our previous blogpost for more details.
Acknowledgements
We would like to thank TensorFlow’s maintainers, for validating and fixing the issue in a prompt manner and responsibly creating a CVE for the issue after the fixed version was available.
