[Python-Dev] Re: 2.3.1

Kurt B. Kaiser kbk@shore.net
Sat, 26 Jul 2003 21:52:17 -0400


"Tim Peters" <tim.one@comcast.net> writes:

>> In thinking about this, however, there *is* one major point which I
>> think needs to be considered. As I understand the issue, IDLE runs as
>> 2 processes which talk via a socket. I assume that it is not possible
>> for this socket to be used by anything *other* than IDLE - in
>> particular, random hackers can't use the open socket as a means of
>> exploit? Such a security hole would, indeed, be a major bug which
>> needs to be addressed.
>
> I don't know the answer, and agree it should be taken seriously.  For
> example, a port that accepts arbitrary Python code and executes it is as
> dangerous as anything I can imagine.  But I haven't studied the new IDLE
> code, and don't know what the risks are.

An open execution server on an external interface is exploitable at the
privilege level of the user which initiated it.

At GvR request, the connection was reversed so that the execution server
connects to the user's GUI process.  

If the local cracker manages to intercept the loopback interface (no external
packets) he can then access IDLE's stdout and stderr streams in the user
GUI.

Once the subprocess makes a connection to the user process, no further
connections are accepted.  In practice this happens within a second of
when the user process spawns the subprocess.

This seems to have limited exploitablility.  If further security is 
desired, a random number could be passed to the subprocess for 
authentication upon connection.

Comments appreciated!

-- 
KBK