<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I sent this to the python security team, and they responded that there are already several public bugs like this one, so I'm forwarding it to full disclosure.<div><br></div><div>The attack is similar to DLL Hijacking, except with python modules instead.<br><div><br></div><div>(p.s. Yes, I am aware of virtualenv.)<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">Jen Savage <<a href="mailto:savagejen@xxxxxxxxx";>savagejen@xxxxxxxxx</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Module import security issue</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">April 25, 2013 12:11:02 AM CDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:security@xxxxxxxxxx";>security@xxxxxxxxxx</a><br></span></div><br><div>Hi,<br><br> There seems to be some security problems with the way python modules are loaded, as a result of the current working directory being the first one listed in the python path. An attacker can replace the intended functionality of a python application by placing a python module with the same name as a module the application is using in the application's running directory. Since the first directory in the path is the working directory, it results in that application loading the attacker's module instead of the intended code. This could result in a local privilege escalation if the python application is executing at a higher privilege level than the one that the attacker currently has.<br><br> Ideally, the python path would list the working directory last by default instead of listing it first, so that applications would be less likely to run into this problem.<br><br> For a proof of concept, we can replace the functionality of a function that is defined within the io module with one of our own, so we hijack its intended functionality and have it run our code instead. The attached zip file contains this proof of concept. Please note that this attack does not work with any of the built in modules, such as sys.<br><br>Best Regards,<br>Jennifer Savage<br><br><br></div></blockquote></div></div></div></body></html>
Attachment:
poc.zip
Description: Zip archive
<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><div><blockquote type="cite"><div><br></div></blockquote></div><br></div></div></body></html>
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/