Python Unsafe Module Loading

[Ned Ludd <solar () gentoo org>]

Sending this to oss-sec vs vendor-sec cuz I've talked about this problem
in public no less than 10 times on different occasions.

I've been sitting on this bug for a while now and guess I should share
it in an effort so hopefully somebody other than myself can come up with
a patch. Anyway I've not tested pythons from other distros but I'm
pretty sure they all behave the same as Gentoo's.

So for nearly every python based program you can simply dump  *.so *.py
*.pyc files just about anywhere on the file system where an admin might
invoke python.


Example:
strace -o /dev/stdout -eopen python -c 'import string'  | grep -v ^open
\(\"/

This should be empty ^^

solar@media /tmp $ touch re.so
solar@media /tmp $ sudo su -
***************** 
media ~ # cd /tmp/
media tmp # python -c 'import string'
Traceback (most recent call last):
  File "<string>", line 1, in ?
  File "/usr/lib/python2.4/string.py", line 83, in ?
    import re as _re
ImportError: ./re.so: file too short

If that was a real module.. We can guess at what all could be done.

Last time I poked at the source code I found I could trick python to put
zipimport (an internal module) as the first thing in it's sys.path[0]
and all was fine. But when I dug up my old patch and tested it with
newer versions of python it no longer worked as before. Thus the need
for a new patch.

This is the old patch that might give anybody that decides to poke at
this an idea the area of code that needs loving.

http://dev.gentoo.org/~solar/patch_overlay/dev-lang/python/python-2.4.2-zipimport-env.patch


-- 
Ned Ludd <solar () gentoo org>