[Python-Dev] Re: 2.3.1 (original) (raw)

Kurt B. Kaiser kbk@shore.net
Sat, 26 Jul 2003 21:52:17 -0400

"Tim Peters" <tim.one@comcast.net> writes:

In thinking about this, however, there is one major point which I think needs to be considered. As I understand the issue, IDLE runs as 2 processes which talk via a socket. I assume that it is not possible for this socket to be used by anything other than IDLE - in particular, random hackers can't use the open socket as a means of exploit? Such a security hole would, indeed, be a major bug which needs to be addressed. I don't know the answer, and agree it should be taken seriously. For example, a port that accepts arbitrary Python code and executes it is as dangerous as anything I can imagine. But I haven't studied the new IDLE code, and don't know what the risks are.

An open execution server on an external interface is exploitable at the privilege level of the user which initiated it.

At GvR request, the connection was reversed so that the execution server connects to the user's GUI process.

If the local cracker manages to intercept the loopback interface (no external packets) he can then access IDLE's stdout and stderr streams in the user GUI.

Once the subprocess makes a connection to the user process, no further connections are accepted. In practice this happens within a second of when the user process spawns the subprocess.

This seems to have limited exploitablility. If further security is desired, a random number could be passed to the subprocess for authentication upon connection.

Comments appreciated!

-- KBK