[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)
Chris Angelico rosuav at gmail.com
Fri Sep 26 02:23:26 CEST 2014
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Sep 26, 2014 at 9:53 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
In other words, os.system is already an attack vector, unless you only use it with trusted strings. I don't think the bash env vulnerability adds to the attack surface.
Have I missed something? The part where the attack payload is passed through the environment, not through hypothetical user-injected command-line arguments.
Which means this also affects anything that invokes shell scripts (if they use bash, rather than sh), even if it doesn't use os.system(). I'm just in process of checking and patching my systems (most of them are just 'apt-get update; apt-get upgrade' followed by a quick check), and can confirm that it does happen in Python. All you have to do is invoke bash, either explicitly or through your target's shebang.
import os, subprocess os.environ["HAHA"]="() { :;}; echo This is crafted from the environment." subprocess.call(["./test.sh"]) This is crafted from the environment. This is from my test script. 0 open("./test.sh").read() '#!/bin/bash\necho This is from my test script.\n\n' subprocess.call(["bash","-c","echo This is from the command line."]) This is crafted from the environment. This is from the command line. 0
But this is a bash issue, not a Python one.
ChrisA
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]