lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <8997BADB-CEDF-43A0-910F-20C6219235CC@gmail.com>
Date: Thu, 25 Apr 2013 16:24:55 -0500
From: Jen Savage <savagejen@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: Module import security issue

I sent this to the python security team, and they responded that there are already several public bugs like this one, so I'm forwarding it to full disclosure.

The attack is similar to DLL Hijacking, except with python modules instead.

(p.s. Yes, I am aware of virtualenv.)

Begin forwarded message:

> From: Jen Savage <savagejen@...il.com>
> Subject: Module import security issue
> Date: April 25, 2013 12:11:02 AM CDT
> To: security@...hon.org
> 
> Hi,
> 
>    There seems to be some security problems with the way python modules are loaded, as a result of the current working directory being the first one listed in the python path. An attacker can replace the intended functionality of a python application by placing a python module with the same name as a module the application is using in the application's running directory. Since the first directory in the path is the working directory, it results in that application loading the attacker's module instead of the intended code. This could result in a local privilege escalation if the python application is executing at a higher privilege level than the one that the attacker currently has.
> 
>    Ideally, the python path would list the working directory last by default instead of listing it first, so that applications would be less likely to run into this problem.
> 
>    For a proof of concept, we can replace the functionality of a function that is defined within the io module with one of our own, so we hijack its intended functionality and have it run our code instead. The attached zip file contains this proof of concept. Please note that this attack does not work with any of the built in modules, such as sys.
> 
> Best Regards,
> Jennifer Savage
> 
> 
> 


Content of type "text/html" skipped

Download attachment "poc.zip" of type "application/zip" (383 bytes)

Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ