Pysec
•Descargar como ODP, PDF•
1 recomendación•729 vistas
Possible security risks that may occur when evaluating data from untrusted sources.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (15)
Destacado
Destacado (20)
Similar a Pysec
Similar a Pysec (20)
Último
Último (20)
Pysec
- 1. Unwanted Code Injection Possible security risks that may occur when evaluating data from untrusted sources. Cosmin Poieana – Student @ FII, Malware Researcher @ Bitdefender
- 2. Code execution ● Most popular scripting languages: JavaScript, Python, Perl, Ruby. ● And others: ECMAScript, ActionScript, Lisp, PHP, Lua, PostScript, D, ColdFusion, Ruby, Forth, BASIC, etc. ● It's not a vulnerability and it doesn't affect certain versions of interpreters or operating systems under they run. ● It simply executes (malicious) code (plain/compiled).
- 3. Real-world usage Adequate uses ● web frameworks (web2py, cherrypy, django, flask), dynamic code manipulation, compiled bytecode optimizations, mathematical plotters (Lybniz) Usual programmer (bad) ● improper data deserialization (json), foreign code execution, loading config files, statements redundancy, obfuscation techniques
- 4. How it works? ● The programmer is too lazy to build a proper parser. ● Unverified data content or source. ● Bad programming practices (code-based configs/plugins). ● Other functions that implies code execution. ● Runtime code embedding to ease some specific tasks.
- 5. Python Linux, Python 2.x ● eval(source[, globals[, locals]]) -> value ● exec … ● input([prompt]) -> value ● compile(source, filename, mode[, flags[, dont_inherit]]) -> code object ● execfile(filename[, globals[, locals]])
- 6. Python - examples >>> eval("1+2") 3 >>> exec "import os; os.system('pwd')" /home/cmin/Desktop/pysec >>> number = input("Number: ") Number: exit() >>> op = compile("a=1;b=2;c=(a*b)**(a+b)", "<string>", "single") >>> eval(op) >>> c 8
- 7. Python - tricks ● eval (function) evaluates expressions, but exec (statement) executes code, remember? ● How about “eval”-ing multiple statements... >>> code = """ ... import sys ... print sys.version ... """ >>> cobj = compile(code, "<string>", "exec") >>> eval(cobj) 2.7.4 (default, Sep 26 2013, 03:20:56) [GCC 4.7.3]
- 8. Python – interpreter ● eval vs. exec ● Using functions instead of statements (import) ● Namespaces (globals/locals) ● Replacing `__builtins__` (whitelisting)
- 9. Example I Bad practice ● String evaluation instead of type converting for numeric values. Solution ● Alter the namespace with empty builtins. ● Replace input() with int(raw_input()).
- 10. Python - hacks >>> eval("__import__('os')", {"__builtins__": {}}) ... NameError: name '__import__' is not defined >>> eval("[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__'] ('os')", {"__builtins__": {}}) <module 'os' from '/usr/lib/python2.7/os.pyc'>
- 11. Example II Bad practice ● Wrong and bogus (de)serialization methods. Solution ● Use pickle or json library for this kind of work.
- 12. Example III Bad practice ● Executing code from untrusted sources without checking it. Solution ● Verify the input in both the front and the back end. ● Use pkgutil library for module manipulation.
- 13. Python – crash #! /usr/bin/env python s = """(lambda fc=(lambda n: [c for c in ().__class__.__bases__[0].__subclasses__() if c.__name__ == n] [0]): fc("function")( fc("code")( 0,0,0,0,"random",(),(),(),"","",0,""), {})() )()""" eval(s, {"__builtins__": {}}) Segmentation fault (core dumped)
- 14. Python 3.x ● Crash (segmentation fault) – add one more `0` and replace some strings with bytes: >>> s = '(lambda fc=(lambda n: [c for c in ().__class__.__bases__[0].__subclasses__() if c.__name__ == n][0] ):fc("function") (fc("code")(0,0,0,0,0,b"random",(),(),(),"","",0,b""),{})())()' eval(s, {"__builtins__": {}}) Segmentation fault (core dumped) ● Builtins restore: >>> s = "[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']('Works!')" >>> eval(s, {"__builtins__": {}}) Works!
- 15. Protection ● Avoid these functions at all. ● Use only trusted encapsulated sources. ● Double-check input data. ● Sandbox or chroot.
- 16. Resources ● Many thanks to floyd and to his research: http://www.floyd.ch/?p=584 ● Ned Batchelder (builtins search tool): http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html ● Armin Ronacher: http://lucumr.pocoo.org/2011/2/1/exec-in-python/ ● Others: http://lybniz2.sourceforge.net/safeeval.html http://en.wikipedia.org/wiki/Eval Questions?