The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Pysec
1. Unwanted Code Injection
Possible security risks that may occur when evaluating data
from untrusted sources.
Cosmin Poieana – Student @ FII,
Malware Researcher @ Bitdefender
2. Code execution
● Most popular scripting languages: JavaScript, Python,
Perl, Ruby.
● And others: ECMAScript, ActionScript, Lisp, PHP, Lua,
PostScript, D, ColdFusion, Ruby, Forth, BASIC, etc.
● It's not a vulnerability and it doesn't affect certain versions
of interpreters or operating systems under they run.
● It simply executes (malicious) code (plain/compiled).
4. How it works?
● The programmer is too lazy to build a proper parser.
● Unverified data content or source.
● Bad programming practices (code-based
configs/plugins).
● Other functions that implies code execution.
● Runtime code embedding to ease some specific tasks.
8. Python – interpreter
● eval vs. exec
● Using functions instead of statements (import)
● Namespaces (globals/locals)
● Replacing `__builtins__` (whitelisting)
9. Example I
Bad practice
● String evaluation instead of type converting for numeric
values.
Solution
● Alter the namespace with empty builtins.
● Replace input() with int(raw_input()).
10. Python - hacks
>>> eval("__import__('os')", {"__builtins__": {}})
...
NameError: name '__import__' is not defined
>>> eval("[x for x in
(1).__class__.__base__.__subclasses__() if x.__name__ ==
'catch_warnings'][0]()._module.__builtins__['__import__']
('os')", {"__builtins__": {}})
<module 'os' from '/usr/lib/python2.7/os.pyc'>
11. Example II
Bad practice
● Wrong and bogus (de)serialization methods.
Solution
● Use pickle or json library for this kind of work.
12. Example III
Bad practice
● Executing code from untrusted sources without checking
it.
Solution
● Verify the input in both the front and the back end.
● Use pkgutil library for module manipulation.
13. Python – crash
#! /usr/bin/env python
s = """(lambda fc=(lambda n: [c for c in
().__class__.__bases__[0].__subclasses__() if c.__name__ == n]
[0]): fc("function")(
fc("code")(
0,0,0,0,"random",(),(),(),"","",0,""), {})()
)()"""
eval(s, {"__builtins__": {}})
Segmentation fault (core dumped)
14. Python 3.x
● Crash (segmentation fault) – add one more `0` and replace some
strings with bytes:
>>> s = '(lambda fc=(lambda n: [c for c in
().__class__.__bases__[0].__subclasses__() if c.__name__ == n][0] ):fc("function")
(fc("code")(0,0,0,0,0,b"random",(),(),(),"","",0,b""),{})())()'
eval(s, {"__builtins__": {}})
Segmentation fault (core dumped)
● Builtins restore:
>>> s = "[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ ==
'Pattern'][0].__init__.__globals__['__builtins__']['print']('Works!')"
>>> eval(s, {"__builtins__": {}})
Works!
15. Protection
● Avoid these functions at all.
● Use only trusted encapsulated sources.
● Double-check input data.
● Sandbox or chroot.
16. Resources
● Many thanks to floyd and to his research:
http://www.floyd.ch/?p=584
● Ned Batchelder (builtins search tool):
http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html
● Armin Ronacher:
http://lucumr.pocoo.org/2011/2/1/exec-in-python/
● Others:
http://lybniz2.sourceforge.net/safeeval.html
http://en.wikipedia.org/wiki/Eval
Questions?