| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Apr 2013 16:24:55 -0500 From: Jen Savage <savagejen@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Fwd: Module import security issue I sent this to the python security team, and they responded that there are already several public bugs like this one, so I'm forwarding it to full disclosure. The attack is similar to DLL Hijacking, except with python modules instead. (p.s. Yes, I am aware of virtualenv.) Begin forwarded message: > From: Jen Savage <savagejen@...il.com> > Subject: Module import security issue > Date: April 25, 2013 12:11:02 AM CDT > To: security@...hon.org > > Hi, > > There seems to be some security problems with the way python modules are loaded, as a result of the current working directory being the first one listed in the python path. An attacker can replace the intended functionality of a python application by placing a python module with the same name as a module the application is using in the application's running directory. Since the first directory in the path is the working directory, it results in that application loading the attacker's module instead of the intended code. This could result in a local privilege escalation if the python application is executing at a higher privilege level than the one that the attacker currently has. > > Ideally, the python path would list the working directory last by default instead of listing it first, so that applications would be less likely to run into this problem. > > For a proof of concept, we can replace the functionality of a function that is defined within the io module with one of our own, so we hijack its intended functionality and have it run our code instead. The attached zip file contains this proof of concept. Please note that this attack does not work with any of the built in modules, such as sys. > > Best Regards, > Jennifer Savage > > > Content of type "text/html" skipped Download attachment "poc.zip" of type "application/zip" (383 bytes) Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists