[Python-Dev] Re: 2.3.1
Sun, 27 Jul 2003 01:17:51 -0400
[Kurt B. Kaiser]
> An open execution server on an external interface is exploitable at
> the privilege level of the user which initiated it.
Noting that Win9X systems offer no protection in this sense, then (there
aren't any privilege levels -- anyone can do anything).
> At GvR request, the connection was reversed so that the execution
> server connects to the user's GUI process.
> If the local cracker manages to intercept the loopback interface
> (no external packets) he can then access IDLE's stdout and stderr
> streams in the user GUI.
> Once the subprocess makes a connection to the user process, no further
> connections are accepted. In practice this happens within a second of
> when the user process spawns the subprocess.
I'm not sure I understand this claim. I just brought up IDLE. Now in a
separate DOS box:
>>> addr = 'localhost', 8833
>>> import time
>>> time.sleep(5) # more than 1 second <wink>
>>> import socket
>>> s = socket.socket()
Was that connection expected?
> This seems to have limited exploitablility. If further security is
> desired, a random number could be passed to the subprocess for
> authentication upon connection.
I suppose a randomized port number could be used too. I'm not worried --
but I tend not to worry much about such things.
if-i-did-i-wouldn't-be-running-windows-ly y'rs - tim