oss-sec mailing list archives
Python Unsafe Module Loading
From: Ned Ludd <solar () gentoo org>
Date: Wed, 04 Jun 2008 08:34:53 -0700
Sending this to oss-sec vs vendor-sec cuz I've talked about this problem in public no less than 10 times on different occasions. I've been sitting on this bug for a while now and guess I should share it in an effort so hopefully somebody other than myself can come up with a patch. Anyway I've not tested pythons from other distros but I'm pretty sure they all behave the same as Gentoo's. So for nearly every python based program you can simply dump *.so *.py *.pyc files just about anywhere on the file system where an admin might invoke python. Example: strace -o /dev/stdout -eopen python -c 'import string' | grep -v ^open \(\"/ This should be empty ^^ solar@media /tmp $ touch re.so solar@media /tmp $ sudo su - ***************** media ~ # cd /tmp/ media tmp # python -c 'import string' Traceback (most recent call last): File "<string>", line 1, in ? File "/usr/lib/python2.4/string.py", line 83, in ? import re as _re ImportError: ./re.so: file too short If that was a real module.. We can guess at what all could be done. Last time I poked at the source code I found I could trick python to put zipimport (an internal module) as the first thing in it's sys.path[0] and all was fine. But when I dug up my old patch and tested it with newer versions of python it no longer worked as before. Thus the need for a new patch. This is the old patch that might give anybody that decides to poke at this an idea the area of code that needs loving. http://dev.gentoo.org/~solar/patch_overlay/dev-lang/python/python-2.4.2-zipimport-env.patch -- Ned Ludd <solar () gentoo org>
Current thread:
- Python Unsafe Module Loading Ned Ludd (Jun 04)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)
- Re: Python Unsafe Module Loading Ned Ludd (Jun 05)
- Re: Python Unsafe Module Loading Florian Weimer (Jun 05)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)
- Re: Python Unsafe Module Loading Ned Ludd (Jun 05)
- Re: Python Unsafe Module Loading Robert Buchholz (Jun 05)