[New-bugs-announce] [issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

Sergey G. Brester report at bugs.python.org
Fri Aug 24 15:44:10 EDT 2018

New submission from Sergey G. Brester <serg.brester at sebres.de>:

There is a vulnerability "insufficient escape of special chars for quoting of arguments by exec process" for python-language, if executing windows batch-files (bat/cmd).

### What version of python is affected?

### Does this issue reproduce with the latest master?

### What did you do?
Execution of batch-file using `subprocess` module with arguments containing some special meta-characters.

A recipe for reproducing the error as well as more extensive PoC with additional info (and more lang's affected also):
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/README.md
A complete runnable program:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/test-dump-inv.py

#### A simple example:
 # invoke exe-file:
 >>> import subprocess
 >>> subprocess.call(['test-dump.exe', 'test&whoami'])
+    `test-dump.exe´ `test&whoami´
 # invoke cmd-file:
 >>> subprocess.call(['test-dump.CMD', 'test&whoami'])
-    `test-dump.exe´ `test´my_domain\sebres
For more "broken" cases, see the result of my test-suite:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/results/python.diff

### What did you expect to see?
Arguments are escaped/quoted properly.

### What did you see instead?
Arguments are insufficient escaped/quoted, so it is vulnerable currently.

### Solution:

For possible solution see the github-PR#8906:
- https://github.com/python/cpython/pull/8906 
For algorithm description:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/SOLUTION.md
resp. how it was fixed in TCL (C-code):
- https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch&to=0-day-21b0629c81 (see the function `BuildCommandLine`)

### Possible similar issues:

components: Library (Lib), Windows
messages: 324013
nosy: paul.moore, sebres, steve.dower, tim.golden, zach.ware
priority: normal
pull_requests: 8376
severity: normal
status: open
title: subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list