CVE-2024-27322: Deserialization vulnerability in R before 4.4.0

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://hiddenlayer.com/research/r-bitrary-code-execution/ reports:

> HiddenLayer researchers have discovered a vulnerability, CVE-2024-27322,
> in the R programming language that allows for arbitrary code execution by
> deserializing untrusted data. This vulnerability can be exploited through
> the loading of RDS (R Data Serialization) files or R packages, which are often
> shared between developers and data scientists. An attacker can create
> malicious RDS files or R packages containing embedded arbitrary R code that
> executes on the victim’s target device upon interaction.

[...]

> Our team discovered that it is possible to craft a malicious RDS file that
> will execute arbitrary code when loaded and referenced. This vulnerability,
> assigned CVE-2024-27322, involves the use of promise objects and lazy
> evaluation in R.

[...]

> After some research, we found that if we created a promise where instead of
> setting a symbol, we set an unbounded value, we could create a payload that
> would run the expression when the promise was accessed:
>
> Opcode(TYPES.PROMSXP, 0, False, False, False,None,False),
> Opcode(TYPES.UNBOUNDVALUE_SXP, 0, False, False, False,None,False),
> Opcode(TYPES.LANGSXP, 0, False, False, False,None,False),
> Opcode(TYPES.SYMSXP, 0, False, False, False,None,False),
> Opcode(TYPES.CHARSXP, 64, False, False, False,"system",False),
> Opcode(TYPES.LISTSXP, 0, False, False, False,None,False),
> Opcode(TYPES.STRSXP, 0, False, False, False,1,False),
> Opcode(TYPES.CHARSXP, 64, False, False, False,'echo "pwned by HiddenLayer"',False),
> Opcode(TYPES.NILVALUE_SXP, 0, False, False, False,None,False),
>
> Once the malicious file has been created and loaded by R, the exploit will
> run no matter how the variable is referenced

[...]

> R’s serialization and deserialization process, which is used in the process of
> creating and loading RDS files and packages, has an arbitrary code execution
> vulnerability. An attacker can exploit this by crafting a file in RDS format
> that contains a promise instruction setting the value to unbound_value and the
> expression to contain arbitrary code. Due to lazy evaluation, the expression
> will only be evaluated and run when the symbol associated with the RDS file is
> accessed. Therefore if this is simply an RDS file, when a user assigns it a
> symbol (variable) in order to work with it, the arbitrary code will be
> executed when the user references that symbol. If the object is compiled
> within an R package, the package can be added to an R repository such as CRAN,
> and the expression will be evaluated and the arbitrary code run when a user
> loads that package.
>
> Given the widespread usage of R and the readRDS function, the implications of
> this are far-reaching. Having followed our responsible disclosure process, we
> have worked closely with the team at R who have worked quickly to patch this
> vulnerability within the most recent release – R v4.4.0.

https://stat.ethz.ch/pipermail/r-announce/2024/000701.html on April 24 announced
the release of R 4.4.0 but does not mention the CVE id in the list of fixes.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris