Pysec
•Download as ODP, PDF•
1 like•730 views
This document discusses unwanted code injection and possible security risks when evaluating untrusted data sources in Python. It provides examples of how malicious code could be executed using functions like eval(), exec(), and input(). The document recommends verifying all input data and avoiding direct code execution when possible to prevent exploitation. Sandboxing or chrooting interpreted code is also suggested as a protection technique.
More Related Content
What's hot
What's hot (15)
Viewers also liked
Viewers also liked (20)
Similar to Pysec
Similar to Pysec (20)
Recently uploaded
Recently uploaded (20)
Pysec
- 1. Unwanted Code Injection Possible security risks that may occur when evaluating data from untrusted sources. Cosmin Poieana – Student @ FII, Malware Researcher @ Bitdefender
- 2. Code execution ● Most popular scripting languages: JavaScript, Python, Perl, Ruby. ● And others: ECMAScript, ActionScript, Lisp, PHP, Lua, PostScript, D, ColdFusion, Ruby, Forth, BASIC, etc. ● It's not a vulnerability and it doesn't affect certain versions of interpreters or operating systems under they run. ● It simply executes (malicious) code (plain/compiled).
- 3. Real-world usage Adequate uses ● web frameworks (web2py, cherrypy, django, flask), dynamic code manipulation, compiled bytecode optimizations, mathematical plotters (Lybniz) Usual programmer (bad) ● improper data deserialization (json), foreign code execution, loading config files, statements redundancy, obfuscation techniques
- 4. How it works? ● The programmer is too lazy to build a proper parser. ● Unverified data content or source. ● Bad programming practices (code-based configs/plugins). ● Other functions that implies code execution. ● Runtime code embedding to ease some specific tasks.
- 5. Python Linux, Python 2.x ● eval(source[, globals[, locals]]) -> value ● exec … ● input([prompt]) -> value ● compile(source, filename, mode[, flags[, dont_inherit]]) -> code object ● execfile(filename[, globals[, locals]])
- 6. Python - examples >>> eval("1+2") 3 >>> exec "import os; os.system('pwd')" /home/cmin/Desktop/pysec >>> number = input("Number: ") Number: exit() >>> op = compile("a=1;b=2;c=(a*b)**(a+b)", "<string>", "single") >>> eval(op) >>> c 8
- 7. Python - tricks ● eval (function) evaluates expressions, but exec (statement) executes code, remember? ● How about “eval”-ing multiple statements... >>> code = """ ... import sys ... print sys.version ... """ >>> cobj = compile(code, "<string>", "exec") >>> eval(cobj) 2.7.4 (default, Sep 26 2013, 03:20:56) [GCC 4.7.3]
- 8. Python – interpreter ● eval vs. exec ● Using functions instead of statements (import) ● Namespaces (globals/locals) ● Replacing `__builtins__` (whitelisting)
- 9. Example I Bad practice ● String evaluation instead of type converting for numeric values. Solution ● Alter the namespace with empty builtins. ● Replace input() with int(raw_input()).
- 10. Python - hacks >>> eval("__import__('os')", {"__builtins__": {}}) ... NameError: name '__import__' is not defined >>> eval("[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__'] ('os')", {"__builtins__": {}}) <module 'os' from '/usr/lib/python2.7/os.pyc'>
- 11. Example II Bad practice ● Wrong and bogus (de)serialization methods. Solution ● Use pickle or json library for this kind of work.
- 12. Example III Bad practice ● Executing code from untrusted sources without checking it. Solution ● Verify the input in both the front and the back end. ● Use pkgutil library for module manipulation.
- 13. Python – crash #! /usr/bin/env python s = """(lambda fc=(lambda n: [c for c in ().__class__.__bases__[0].__subclasses__() if c.__name__ == n] [0]): fc("function")( fc("code")( 0,0,0,0,"random",(),(),(),"","",0,""), {})() )()""" eval(s, {"__builtins__": {}}) Segmentation fault (core dumped)
- 14. Python 3.x ● Crash (segmentation fault) – add one more `0` and replace some strings with bytes: >>> s = '(lambda fc=(lambda n: [c for c in ().__class__.__bases__[0].__subclasses__() if c.__name__ == n][0] ):fc("function") (fc("code")(0,0,0,0,0,b"random",(),(),(),"","",0,b""),{})())()' eval(s, {"__builtins__": {}}) Segmentation fault (core dumped) ● Builtins restore: >>> s = "[x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'Pattern'][0].__init__.__globals__['__builtins__']['print']('Works!')" >>> eval(s, {"__builtins__": {}}) Works!
- 15. Protection ● Avoid these functions at all. ● Use only trusted encapsulated sources. ● Double-check input data. ● Sandbox or chroot.
- 16. Resources ● Many thanks to floyd and to his research: http://www.floyd.ch/?p=584 ● Ned Batchelder (builtins search tool): http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html ● Armin Ronacher: http://lucumr.pocoo.org/2011/2/1/exec-in-python/ ● Others: http://lybniz2.sourceforge.net/safeeval.html http://en.wikipedia.org/wiki/Eval Questions?