[prev in list] [next in list] [prev in thread] [next in thread] List: full-disclosure Subject: [Full-disclosure] Fwd: Module import security issue From: Jen Savage <savagejen () gmail ! com> Date: 2013-04-25 21:24:55 Message-ID: 8997BADB-CEDF-43A0-910F-20C6219235CC () gmail ! com [Download RAW message or body] [Attachment #2 (multipart/signed)] [Attachment #4 (multipart/alternative)] I sent this to the python security team, and they responded that there are already several \ public bugs like this one, so I'm forwarding it to full disclosure. The attack is similar to DLL Hijacking, except with python modules instead. (p.s. Yes, I am aware of virtualenv.) Begin forwarded message: > From: Jen Savage <savagejen@gmail.com> > Subject: Module import security issue > Date: April 25, 2013 12:11:02 AM CDT > To: security@python.org > > Hi, > > There seems to be some security problems with the way python modules are loaded, as a result \ > of the current working directory being the first one listed in the python path. An attacker \ > can replace the intended functionality of a python application by placing a python module \ > with the same name as a module the application is using in the application's running \ > directory. Since the first directory in the path is the working directory, it results in that \ > application loading the attacker's module instead of the intended code. This could result in \ > a local privilege escalation if the python application is executing at a higher privilege \ > level than the one that the attacker currently has. > Ideally, the python path would list the working directory last by default instead of listing \ > it first, so that applications would be less likely to run into this problem. > For a proof of concept, we can replace the functionality of a function that is defined within \ > the io module with one of our own, so we hijack its intended functionality and have it run \ > our code instead. The attached zip file contains this proof of concept. Please note that this \ > attack does not work with any of the built in modules, such as sys. > Best Regards, > Jennifer Savage > > > [Attachment #7 (multipart/mixed)] [Attachment #9 (unknown)] <html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body \ style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; \ ">I sent this to the python security team, and they responded that there are already several \ public bugs like this one, so I'm forwarding it to full disclosure.<div><br></div><div>The \ attack is similar to DLL Hijacking, except with python modules \ instead.<br><div><br></div><div>(p.s. Yes, I am aware of virtualenv.)<br><div><br><div>Begin \ forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div \ style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span \ style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>From: \ </b></span><span style="font-family:'Helvetica'; font-size:medium;">Jen Savage <<a \ href="mailto:savagejen@gmail.com">savagejen@gmail.com</a>><br></span></div><div \ style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span \ style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Subject: \ </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Module import security \ issue</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \ margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, \ 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">April 25, \ 2013 12:11:02 AM CDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; \ margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; \ color:rgba(0, 0, 0, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; \ font-size:medium;"><a \ href="mailto:security@python.org">security@python.org</a><br></span></div><br><div>Hi,<br><br> \ There seems to be some security problems with the way python modules are \ loaded, as a result of the current working directory being the first one listed in the python \ path. An attacker can replace the intended functionality of a python application by placing a \ python module with the same name as a module the application is using in the application's \ running directory. Since the first directory in the path is the working directory, it results \ in that application loading the attacker's module instead of the intended code. This could \ result in a local privilege escalation if the python application is executing at a higher \ privilege level than the one that the attacker currently has.<br><br> \ Ideally, the python path would list the working directory last by default \ instead of listing it first, so that applications would be less likely to run into this \ problem.<br><br> For a proof of concept, we can replace the functionality of \ a function that is defined within the io module with one of our own, so we hijack its intended \ functionality and have it run our code instead. The attached zip file contains this proof of \ concept. Please note that this attack does not work with any of the built in modules, such as \ sys.<br><br>Best Regards,<br>Jennifer \ Savage<br><br><br></div></blockquote></div></div></div></body></html> ["poc.zip" (poc.zip)] PK YB io.pyUX xQ xQ? KIMSOL//-JNHIJ,Ҵ,(+QP KWH/R(HUH/J)WT PKAN= ; PK EB poc.pyUX RxQxQ? \ -/*Q/HP/-/I-.+(Q PKexJ&