classification
Title: ctypes.util , Shell Injection in find_library()
Type: security Stage:
Components: ctypes Versions: Python 3.4, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: avoid using a shell in ctypes.util: replace os.popen with subprocess
View: 22636
Assigned To: Nosy List: TheRegRunner, martin.panter, xnox
Priority: normal Keywords: patch

Created on 2015-11-27 20:19 by TheRegRunner, last changed 2015-12-01 01:54 by martin.panter. This issue is now closed.

Files
File name Uploaded Description Edit
workaround.diff TheRegRunner, 2015-11-27 20:19 patch
Messages (6)
msg255482 - (view) Author: Bernd Dietzel (TheRegRunner) Date: 2015-11-27 20:19
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

Demo Exploits for Linux :
====================

>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
    trace = f.read()
KeyboardInterrupt


https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068
msg255523 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-28 03:29
There is a patch at Issue 22636 which looks like it replaces all five os.popen() calls.
msg255524 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-28 03:31
Your Ubuntu link seems broken, or is that a private report?
msg255539 - (view) Author: Bernd Dietzel (TheRegRunner) Date: 2015-11-28 12:30
i made the ubuntu link readable for everyone.
msg255633 - (view) Author: Dimitri John Ledkov (xnox) * Date: 2015-12-01 01:10
Whilst fixed in 3.5, it is not fixed in 2.7. And the reporter believes this is a security vulnerability.

Can this be cherry-picked into the 2.7 branch?
msg255634 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-12-01 01:54
I do not believe 3.5 is fixed either:

$ python3.5
Python 3.5.0 (default, Sep 20 2015, 11:28:25) 
[GCC 5.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes.util
>>> ctypes.util.find_library("; echo Hello shell >&2")
Hello shell
>>> 

Issue 22636 has a patch with some review comments, but is is still open. I think it needs someone to take another look, perhaps update the patch, and get it committed.

I will mark the other issue as a bug fix for 2.7 and 3.4+.
History
Date User Action Args
2015-12-01 01:54:54martin.pantersetmessages: + msg255634
2015-12-01 01:10:00xnoxsetnosy: + xnox
messages: + msg255633
2015-11-28 12:30:40TheRegRunnersetmessages: + msg255539
2015-11-28 03:31:02martin.pantersetmessages: + msg255524
2015-11-28 03:29:09martin.pantersetstatus: open -> closed

nosy: + martin.panter
messages: + msg255523

superseder: avoid using a shell in ctypes.util: replace os.popen with subprocess
resolution: duplicate
2015-11-27 20:19:20TheRegRunnercreate