This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author steve.dower
Recipients Alexander Riccio, brett.cannon, paul.moore, steve.dower, tim.golden, zach.ware
Date 2016-06-30.16:43:44
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1467305024.21.0.864027570429.issue26137@psf.upfronthosting.co.za>
In-reply-to
Content 
> So the malicious payload is the whole python command, not just file.bin

Yeah, sorry that wasn't clear. Many vulnerabilities allow attackers to schedule process launches (e.g. via cron/Task Scheduler/etc.) without actually being able to add any files to the machine - Stuxnet took advantage of this, for example. So if Python is already there, you can schedule "python -c "import urllib, base64; exec(...)"" to download->decode->exec arbitrary code without touching the file system or network with obvious sources.

(Right now, I understand base64 is sufficient encryption, at least until the antimalware companies add signatures for base64-encoded scripts. Even then, the slightest customization of the original code is going to break base64 enough to avoid detection, whereas the signatures are flexible enough to handle variations to source code.)
History
Date User Action Args
2016-06-30 16:43:44steve.dowersetrecipients: + steve.dower, brett.cannon, paul.moore, tim.golden, zach.ware, Alexander Riccio
2016-06-30 16:43:44steve.dowersetmessageid: <1467305024.21.0.864027570429.issue26137@psf.upfronthosting.co.za>
2016-06-30 16:43:44steve.dowerlinkissue26137 messages
2016-06-30 16:43:44steve.dowercreate