Code Execution Vulnerability in Behave: A Deep Dive

Hello everyone! Today I would like to share one of the very first vulnerabilities that I discovered (and got paid for) when I started working as a vulnerability researcher.

Behave seemed like a cool repository and since I love Python I decided to poke around in it. Step 1 was understanding what Behavior-driven development (BDD) was and how behave itself works. Then it was time to fork the repo and use my favourite SAST tool Snyk to scan it.

Sure enough I got a bunch of hits. I waded through them all eliminating false positives and low severity issues until I stumbled upon something that looked promising — The convert_i18n_yaml.py script.

This vulnerability is a classic example of CWE-502 Deserialization of Untrusted Data. In our case, this is caused due to Behave using yaml.load without specifying either a loader or a pyYAML version.

In pyYAML versions 5.1 or below, if a loader is not specified, the default loader is used. This configuration has been the cause of many similar deserialization vulnerabilities and the pyYAML wiki has a warning dedicated to it.

Lets assume an application uses an older version of pyYAML such as 3.13. An attacker can craft a malicious yaml file and pass it to convert_i18n_yaml.py . Because of the unsafe deserialization, the malicious code inside the yaml file will get executed.

Here’s a more practical example:

This will execute the ls -la command on the server!

The simplest way to fix this vulnerability is to use yaml.safeLoad . This was also the official fix. Behave has since then deprecated this file and removed it in their newer version.

To all of you out there using yaml.load, please stop. Use yaml.safeLoad. If you must use yaml.load, please specify a loader such as SafeLoader, or better yet, use the latest version of pyYAML .

If you read this far, Thank you! I hope you enjoyed it. Happy Hunting~