Pickle Load on BYOM model load leads to arbitrary code execution

Products Impacted

This vulnerability is present in MindsDB versions v23.3.2.0 or newer.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-502: Deserialization of Untrusted Data

Details

To exploit this vulnerability, an attacker authenticated to a MindsDB instance can create a Python script to train a model on a dataset and make predictions. Within this script, an attacker can include a class to create a malicious pickle object within the method used to train the model. A predict method and describe method can also be defined within the script. The attacker can then use the ‘Upload Custom Model’ feature within the MindsDB UI to upload the script, along with the related requirements.txt file, which would need to contain any libraries required to successfully achieve the exploit. They can then upload the relevant dataset as a file and use the appropriate SQL query to train the model with it.

When the model is trained, it is serialized along with the malicious pickle object due to the use of pickle.dumps within the encode function of the mindsdb/integrations/handlers/byom_handler/proc_wrapper.py file. When a prediction or describe query is run on the model, the relevant method (i.e., predict or describe) is called from within the ModelWrapperSafe class of the mindsdb/integrations/handlers/byom_handler/byom_handler.py file. This is the default behavior that ultimately leads to the calling of the vulnerable decode function of the mindsdb/integrations/handlers/byom_handler/proc_wrapper.py file, which performs pickle.loads to deserialize the model, as shown below:

def decode(encoded):
	return pickle.loads(encoded)

This function will deserialize the model along with the malicious pickle object, leading to any arbitrary code contained within it being executed on the server.