[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Victor Stinner victor.stinner at gmail.com
Tue Apr 12 08:31:19 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2016-04-12 14:16 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
I read your code and the code of CPython. I found many issues. (...) The exploit is based on two things:
* updatewrapper() is used to get the secret attribute using the real getattr() function * updatewrapper() + A.setattr are used to pass the secret from the real namespace to the untrusted namespace
Oh, I forgot to mention another vulnerability: you block access to attributes by replacing getattr and by analyzing the AST. Ok, but one more time, it's not enough. If you get access to obj.dict, you will likely get access to any attribute using obj_dict[attr] instead of obj.attr.
I wrote pysandbox because I liked Tav's idea of removing sensitive dictionary keys of sensitive types like functions, frames and code objects. Again, it was not enough.
Victor
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]