Sandbox escape via getToolByName
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope CMF buildout |
Confirmed
|
Undecided
|
Tres Seaver |
Bug Description
Alan Hoey of the Plone security team reported this issue:
Came across this one too - getToolByName is importable in TTW python scripts.
When invoked it attempts to look up tool objects via some magic
_tool_interface
appears to be pretty much just getattr. We can use this unrestricted getattr
to grab the real builtins and from there execute arbitrary python.
Basically all the security in restricted python is dependent on the wrapped
methods (guarded_getattr etc) as that's where the security checks happen, if
you can get a hold of a real getattr it's trivial to escape.
Alan
Example:
from Products.
builtins = getToolByName(
code = builtins[
builtins[
---
The Plone security team released a patch to address this vulnerability in Products.
a) the name being looked up is in the tool registry
b) the object that was found provides IPersistent or IItem
CVE References
Changed in zope-cmf: | |
assignee: | nobody → Tres Seaver (tseaver) |
status: | New → Confirmed |
I've made this public since the Plone hotfix already reveals the details.