Python ctypes.util , Shell Injection in find_library()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Python |
Fix Released
|
Unknown
|
|||
python2.7 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Brian Morton |
Bug Description
https:/
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.
Demo Exploits for Linux :
=======
>>> from ctypes.util import find_library
>>> find_library(
>>> find_library(
>>> find_library(
>>> find_library(
>>> find_library(
==== Traceback ====
>>> find_library(
^CTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
return _findSoname_
File "/usr/lib/
trace = f.read()
KeyboardInterrupt
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSign
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in python2.7 (Ubuntu): | |
importance: | Undecided → High |
Changed in python: | |
status: | Unknown → New |
Changed in python: | |
status: | New → Fix Released |
Changed in python2.7 (Ubuntu): | |
status: | New → Confirmed |
Changed in python2.7 (Ubuntu): | |
assignee: | nobody → Brian Morton (rokclimb15) |
Changed in python2.7 (Ubuntu Xenial): | |
assignee: | nobody → Brian Morton (rokclimb15) |
Changed in python2.7 (Ubuntu): | |
assignee: | Brian Morton (rokclimb15) → nobody |
marking as security.