[issue12238] Readline module loading in interactive mode

2011-06-02 Thread Niels Heinen 

New submission from Niels Heinen :

Running the python binary without a script or using the -i flag will
start the process in interactive mode. The interactive mode requires an
external module to be loaded: readline.

Per default behavior, Python also tries to load this module from the current 
working directory (see also trace below)

strcpy(0x7fff17609ed8, ".so")  = 0x7fff17609ed8
fopen64("readline.so", "rb" 
SYS_open("readline.so", 0, 0666)   = -2
<... fopen64 resumed> )= 0
strcpy(0x7fff17609ed8, "module.so")= 0x7fff17609ed8
fopen64("readlinemodule.so", "rb" 
SYS_open("readlinemodule.so", 0, 0666)

The module is imported in Modules/main.c line 663:

  if ((Py_InspectFlag || ..
isatty(fileno(stdin))) {
  PyObject *v;
  v = PyImport_ImportModule("readline");


Why consider this a security bug: basically because you don't expect a
program to import a shared library from your current directory _unless_
you explicitly tell it to (e.g. import blah).

On a multi user system, someone could plant a malicious shared libraries
named "readline.so" in an attempt to hack a user that runs python in
interactive mode.

The risk obviously _very_ low but nevertheless worth to consider improving by, 
for example, loading readline with a more strict path? (e.g.  python lib 
directories only?)

Niels



AN EXAMPLE:
---
The code below is compiled to readline.so and stored in /tmp:

  void __attribute__ ((constructor)) _load();
  void _load() {
  printf("DING DONG!\n");

  }

foo@foo:/tmp$ ls -l /tmp/readline.so 
-rwxr-x--- 1 n nnn 7952 Mar 29 16:24 /tmp/readline.so
foo@foo:/tmp$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:57:41) 
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
DING DONG!
>>>

--
messages: 137473
nosy: Niels.Heinen
priority: normal
severity: normal
status: open
title: Readline module loading in interactive mode
type: security
versions: Python 2.6

___
Python tracker 
<http://bugs.python.org/issue12238>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12238] Readline module loading in interactive mode

2011-06-06 Thread Niels Heinen 

Niels Heinen  added the comment:

Hi Eric, David,

This means that you cannot type "python" and press  in any shared 
directory without the risk of a malicious readlinemodule.so being imported and 
executed.  

I think this is different from a scenario where someone explicitly runs a 
script or imports a module in interactive mode where it is also reasonable that 
such a person understands the importing mechanism.

Thanks for the quick responses btw!

Niels

--

___
Python tracker 
<http://bugs.python.org/issue12238>
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com