[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Wed, 04 Jun 2008 08:34:53 -0700
From: Ned Ludd <solar@...too.org>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Python Unsafe Module Loading
Sending this to oss-sec vs vendor-sec cuz I've talked about this problem
in public no less than 10 times on different occasions.
I've been sitting on this bug for a while now and guess I should share
it in an effort so hopefully somebody other than myself can come up with
a patch. Anyway I've not tested pythons from other distros but I'm
pretty sure they all behave the same as Gentoo's.
So for nearly every python based program you can simply dump *.so *.py
*.pyc files just about anywhere on the file system where an admin might
invoke python.
Example:
strace -o /dev/stdout -eopen python -c 'import string' | grep -v ^open
\(\"/
This should be empty ^^
solar@...ia /tmp $ touch re.so
solar@...ia /tmp $ sudo su -
*****************
media ~ # cd /tmp/
media tmp # python -c 'import string'
Traceback (most recent call last):
File "<string>", line 1, in ?
File "/usr/lib/python2.4/string.py", line 83, in ?
import re as _re
ImportError: ./re.so: file too short
If that was a real module.. We can guess at what all could be done.
Last time I poked at the source code I found I could trick python to put
zipimport (an internal module) as the first thing in it's sys.path[0]
and all was fine. But when I dug up my old patch and tested it with
newer versions of python it no longer worked as before. Thus the need
for a new patch.
This is the old patch that might give anybody that decides to poke at
this an idea the area of code that needs loving.
http://dev.gentoo.org/~solar/patch_overlay/dev-lang/python/python-2.4.2-zipimport-env.patch
--
Ned Ludd <solar@...too.org>
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux