Zope CMF buildout

Sandbox escape via getToolByName

Bug #1079221 reported by David Glick
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope CMF buildout
Confirmed
Undecided
Tres Seaver

Bug Description

Alan Hoey of the Plone security team reported this issue:

Came across this one too - getToolByName is importable in TTW python scripts.
When invoked it attempts to look up tool objects via some magic
_tool_interface_registry. If this fails it falls back to using aq_get, which
appears to be pretty much just getattr. We can use this unrestricted getattr
to grab the real builtins and from there execute arbitrary python.

Basically all the security in restricted python is dependent on the wrapped
methods (guarded_getattr etc) as that's where the security checks happen, if
you can get a hold of a real getattr it's trivial to escape.

Alan

Example:

from Products.CMFPlone.utils import getToolByName
builtins = getToolByName(setattr,'func_globals')['__builtins__']
code = builtins['compile']('import os;os.system("ls")','<evil>','exec')
builtins['eval'](code)

---

The Plone security team released a patch to address this vulnerability in Products.PloneHotfix20121106. The patch wraps getToolByName and checks to make sure that one of the following is true:
a) the name being looked up is in the tool registry
b) the object that was found provides IPersistent or IItem

CVE References

Tres Seaver (tseaver)
Changed in zope-cmf:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Revision history for this message
Tres Seaver (tseaver) wrote :

I've made this public since the Plone hotfix already reveals the details.

information type: Private Security → Public
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.