[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Fwd: Module import security issue
From: Jen Savage <savagejen () gmail ! com>
Date: 2013-04-25 21:24:55
Message-ID: 8997BADB-CEDF-43A0-910F-20C6219235CC () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/alternative)]
I sent this to the python security team, and they responded that there are already several \
public bugs like this one, so I'm forwarding it to full disclosure.
The attack is similar to DLL Hijacking, except with python modules instead.
(p.s. Yes, I am aware of virtualenv.)
Begin forwarded message:
> From: Jen Savage <savagejen@gmail.com>
> Subject: Module import security issue
> Date: April 25, 2013 12:11:02 AM CDT
> To: security@python.org
>
> Hi,
>
> There seems to be some security problems with the way python modules are loaded, as a result \
> of the current working directory being the first one listed in the python path. An attacker \
> can replace the intended functionality of a python application by placing a python module \
> with the same name as a module the application is using in the application's running \
> directory. Since the first directory in the path is the working directory, it results in that \
> application loading the attacker's module instead of the intended code. This could result in \
> a local privilege escalation if the python application is executing at a higher privilege \
> level than the one that the attacker currently has.
> Ideally, the python path would list the working directory last by default instead of listing \
> it first, so that applications would be less likely to run into this problem.
> For a proof of concept, we can replace the functionality of a function that is defined within \
> the io module with one of our own, so we hijack its intended functionality and have it run \
> our code instead. The attached zip file contains this proof of concept. Please note that this \
> attack does not work with any of the built in modules, such as sys.
> Best Regards,
> Jennifer Savage
>
>
>
[Attachment #7 (multipart/mixed)]
[Attachment #9 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; \
">I sent this to the python security team, and they responded that there are already several \
public bugs like this one, so I'm forwarding it to full disclosure.<div><br></div><div>The \
attack is similar to DLL Hijacking, except with python modules \
instead.<br><div><br></div><div>(p.s. Yes, I am aware of virtualenv.)<br><div><br><div>Begin \
forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span \
style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>From: \
</b></span><span style="font-family:'Helvetica'; font-size:medium;">Jen Savage <<a \
href="mailto:savagejen@gmail.com">savagejen@gmail.com</a>><br></span></div><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span \
style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Subject: \
</b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Module import security \
issue</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; \
margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, \
1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">April 25, \
2013 12:11:02 AM CDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; \
color:rgba(0, 0, 0, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; \
font-size:medium;"><a \
href="mailto:security@python.org">security@python.org</a><br></span></div><br><div>Hi,<br><br> \
There seems to be some security problems with the way python modules are \
loaded, as a result of the current working directory being the first one listed in the python \
path. An attacker can replace the intended functionality of a python application by placing a \
python module with the same name as a module the application is using in the application's \
running directory. Since the first directory in the path is the working directory, it results \
in that application loading the attacker's module instead of the intended code. This could \
result in a local privilege escalation if the python application is executing at a higher \
privilege level than the one that the attacker currently has.<br><br> \
Ideally, the python path would list the working directory last by default \
instead of listing it first, so that applications would be less likely to run into this \
problem.<br><br> For a proof of concept, we can replace the functionality of \
a function that is defined within the io module with one of our own, so we hijack its intended \
functionality and have it run our code instead. The attached zip file contains this proof of \
concept. Please note that this attack does not work with any of the built in modules, such as \
sys.<br><br>Best Regards,<br>Jennifer \
Savage<br><br><br></div></blockquote></div></div></div></body></html>
["poc.zip" (poc.zip)]
PK��������YB����������������io.pyUX��
xQ
xQ?��KIMSOL//-JNHIJ,Ҵ,(+QP
KWH/R(HUH/J)WT��PK���AN=���;���PK��������EB����������������poc.pyUX��RxQxQ?�� \
-/*Q/HP/-/I-.+(Q��PK��exJ&���$���PK����������YB�AN=���;��������������@����io.pyUX��
xQ
xQPK����������EBexJ&���$��������������@���poc.pyUX��RxQxQPK������������������
[Attachment #11 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; \
"><div><div><div><blockquote \
type="cite"><div><br></div></blockquote></div><br></div></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
iQIcBAEBAgAGBQJReZ8nAAoJEEflVeL2WbijBmoP/2Kf2iT3Nz8bP+BIAsmcy2w2
3oMHYQppPecD7Xr5cNFnK7OhRNNpxOYyElhndVXeN0kWCGhUN3+I2vWkZArcCnef
LCJUHCZ+wTuVIRW56ZcacqR+Qhg2PgPKIGU6QY5q/4Z/o8YQdpSEVoNjGbmM3FY6
SjvRTRMBWCeDEMEIKcfzqcvhPEYrzERV3IoqHP/uyiNNUySfNJVl9XQh1GoN2wVD
r41ne1bJzq8KjuN5LL4HA2k0eTcq55LDab13BdGjOAsjYOwwezSMNFxNaWWDqMj8
8BYa/TeaPc/BbpvE8WvzBV1vqLk27ijas5jciPQ9WAhDFrkrfG49iY/bcycqZxu4
V1OlPcBSJYJeXyWi3xHMGrCpxY4LFqb2cTmu3DDYJe6v4BKTZQD1gBniABlxSYD/
juh+VWy+mnnyg+QukPkoVJ1vkURwqrqOwUPfotSgolfKo2vOcH8RcavFsA5jyDFr
RpyDzI8Zss77UjFz7q82RCFNvquvsQFiOzdFLxUbqM+qBVShcFUddB3njy9JOAA3
ZSLoC+SNnBGeRhPYLjgtRjSWKHVUxVtSmgyV/JGSGSje0/DS1xRBp9mNEm0z4IWW
RrXxGBUNgMiENLCJ8gTCZh1aEXI4s9d4H+6L/sn+0soC5M9fKXIi0xlVrM2/2ard
Oc+ZfdaqW++FXPWSjzOA
=OWxY
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic