Python ctypes.util , Shell Injection in find_library()

Bug #1512068 reported by Bernd Dietzel on 2015-11-01
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python
Fix Released
Unknown
python2.7 (Ubuntu)
High
Unassigned
Xenial
Undecided
Brian Morton

Bug Description

https://github.com/Legrandin/ctypes/issues/1

The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

Demo Exploits for Linux :
====================

>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
    trace = f.read()
KeyboardInterrupt

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)

Bernd Dietzel (l-ubuntuone1104) wrote :
Dimitri John Ledkov (xnox) wrote :

marking as security.

information type: Public → Private Security
Bernd Dietzel (l-ubuntuone1104) wrote :

My Patch witch works with all python versions of the util.py script.

( because the python2 version in /usr/lib/python2.7/ctypes/util.py has no "import subprocess" at the moment for some reason )

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Please report this issue to the upstream Python developers, and link the upstream bug here. Thanks!

Bernd Dietzel (l-ubuntuone1104) wrote :

reported to upstream.
http://bugs.python.org/issue25751

Bernd Dietzel (l-ubuntuone1104) wrote :

Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos.
http://bugs.python.org/issue22636

information type: Private Security → Public Security

The attachment "Patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in python2.7 (Ubuntu):
importance: Undecided → High
Dimitri John Ledkov (xnox) wrote :

upstream only fixed this in 3.5 which we do carry, but not other release series.

It's not that "ubuntu diddn't pick up the fix", it's the upstream that didn't apply in all applicable release series.

commented on your bug report.

Changed in python:
status: Unknown → New
Changed in python:
status: New → Fix Released
Changed in python2.7 (Ubuntu):
status: New → Confirmed
Changed in python2.7 (Ubuntu):
assignee: nobody → Brian Morton (rokclimb15)
Brian Morton (rokclimb15) wrote :

Attached is a debdiff for trusty. If someone could please review and provide feedback, I'll produce additional ones for precise, xenial, yakkety, and zesty

Matthias Klose (doko) wrote :

fixed in zesty and newer releases

Changed in python2.7 (Ubuntu):
status: Confirmed → Fix Released
Changed in python2.7 (Ubuntu Xenial):
assignee: nobody → Brian Morton (rokclimb15)
Changed in python2.7 (Ubuntu):
assignee: Brian Morton (rokclimb15) → nobody

Hello Bernd, or anyone else affected,

Accepted python2.7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python2.7 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Matthias Klose (doko) wrote :

exploits don't work anymore in the proposed python2.7 update to xenial.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.12-1ubuntu0~16.04.3

---------------
python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium

  * Some performance improvements: LP: #1638695.
    - Build the _math.o object file without -fPIC for static builds.
  * Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109.
  * Explicitly use the system python for byte compilation in postinst scripts.
    LP: #1682934.
  * Fix issue #22636: Avoid shell injection problems with
    ctypes.util.find_library(). LP: #1512068.

 -- Matthias Klose <email address hidden> Mon, 04 Dec 2017 15:50:18 +0100

Changed in python2.7 (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for python2.7 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.