Shulou(Shulou.com)05/31 Report--

This article introduces how to analyze deserialization and command execution in Python code audit, the content is very detailed, interested friends can refer to, hope to be helpful to you.

I. introduction

There are a variety of Python code audit methods, but in a word, it is formed according to the migration and fusion extension of previous ideas. At present, the idea of Python code audit shows a trend of dispersion and diversity. Python meagre research and development experience and combined with the actual ideas and skills to be summarized, in order to facilitate friends to learn and reference.

II. De-serialization audit practice

Deserialization vulnerabilities are one of the most common high-risk vulnerabilities in Python code audits, and their harmfulness varies slightly depending on the execution environment, with local and remote scores of 7.2 and 10, respectively. Through the score, we can also know that the vulnerability harm is obvious. So how should we find this loophole? The discovery of this vulnerability should start with the deserialization module. The deserialization module of Python is mainly pickle, cPickle, yaml, and so on. Deserialization vulnerabilities were discovered many years ago, and most of the deserialization vulnerabilities seen so far are due to applications calling problematic deserialization modules. Then it is possible for us to find deserialization vulnerabilities when we look for deserialization modules.

1. Dask command execution vulnerability (CNVD-2019-16789)

This vulnerability was found by the author when auditing the anaconda environment module in 2019 and submitting the CNVD for verification. Although it is a locally triggered vulnerability, it is definitely a good case of deserialization vulnerabilities, which take advantage of yaml module problems for deserialization.

(1) vulnerability analysis

The vulnerability affects version 1.1.4, which occurs in the config.py file in the dask module, line 139. Due to the problem caused by the program using yaml in the coolect_yaml method, the purpose of the method is to collect the configuration from the yaml file.

Line 148 determines whether it is a directory, and the incoming file can continue to execute. The vulnerability was triggered on line 168, using yaml.load to perform deserialization.

At this point, we trigger a deserialization method through POC, which can cause code execution problems.

(2) vulnerability POC

Screenshot of vulnerability verification:

(3) repair method

Yaml has provided a secure deserialization solution to the deserialization problem, and programs can safely deserialize using yaml.safe_load. Our suggestions for the repair of audit problems are used according to the actual situation.

2. NumPy command execution vulnerability (CVE-2019-6446)

Prior to NumPy version 1.16.0, there was a deserialization command execution vulnerability in which a user loading a malicious data source caused code execution. It is customary to explain the deserialization principle and stack instructions of Python's pickle before talking about this deserialization. However, it is not the focus of this article, so I will not discuss it for the time being.

(1) vulnerability analysis

Let's start directly with the code layer, the entrance to the vulnerability, near line 288 of lib/npyio.py. There is a way to use the deserialization module here, and the allow_ pick value is True. Allow_pickle allows you to save an array of objects using Python pickles, and pickle in Python is used to serialize and deserialize objects before saving to or reading from disk files. Popularly speaking, it is a switch and is turned on by default.

The location of the vulnerability trigger is on lib/npyio.py, line 418. There is a way to deserialize the load. The author omits some of the code and looks directly at the key points. The default format requires ZIP file prefix competition\ x03\ x04 suffix competition\ x05\ x06. If the default format is not met, the pickle.load () deserialization method is executed.

The execution process here is NumPy.lib.npyio.py:load () = > pickle.py:load ().

Try: # Code to distinguish from NumPy binary files and pickles. _ ZIP_PREFIX = b'PK\ x03\ x04' _ ZIP_SUFFIX = b'PK\ x05\ x06' # empty zip files start with this. If magic.startswith (_ ZIP_PREFIX) or magic.startswith (_ ZIP_SUFFIX):. Elif magic = = format.MAGIC_PREFIX:. Else: # Try a pickle if not allow_pickle: raise ValueError ("Cannot load file containing pickled data"when allow_pickle=False") try: return pickle.load (fid * * pickle_kwargs) except Exception: raise IOError ("Failed to interpret file% s as a pickle"% repr (file)) finally:...

(2) vulnerability POC

To sum up, the POC is written as follows:

From numpy.lib import npyio from numpy import _ version__ print (_ version__) import os import pickle class Test (object): def _ init__ (self): self.a = 1 def _ reduce__ (self): return (os.system, ('whoami',)) tmpdaa = Test () with open ("test-file.pickle",' wb') as f: pickle.dump (tmpdaa,f) npyio.load ("test-file.pickle")

The test results are shown in the figure:

III. Order to carry out audit practice

Command execution vulnerabilities are also common and harmful in Python modules. When the audit command is executed, most of the time the program may not be able to execute the command until certain conditions are met, or it may need to be executed in different systems, so it is necessary to pay attention to the code logic and some features.

1. Numexpr command execution vulnerability (CNVD-2019-17298)

Numexpr is an acceleration package of machine learning module NumPy, which is mainly used to improve the performance of NumPy.

(1) vulnerability analysis

In line 37 of the module / numexpr/cpuinfo.py, there is a way to execute the command.

Getoutput is the problematic method that logically executes commands in .popen, but because os.WIFEXITED (status) and os.WEXITSTATUS (status) are only supported under linux, execution under windows will report an error. Under linux, when status is a global variable and the assignment is 0, the os.WIFEXITED (status) result is True,os.WEXITSTATUS (status) result is 0. According to the code logic: if os.WIFEXITED (status) and os.WEXITSTATUS (status) in successful_status: so successful_status = (True,0), and passed in through the formal parameter, resulting in command execution problems.

(2) vulnerability POC

Vulnerability POC and execution result:

2. Dotenv command execution vulnerability (CNVD-2019-17299)

Dotenv is a library that enables Node.js to load environment variables from a file.

(1) vulnerability analysis

The vulnerability lies in the main.py file in dotenv version 0.10.1, line 317, which shows that the method parameters pass in commands and environment variables. However, there are problems with arbitrary command execution due to the failure to filter available commands.

(2) vulnerability POC

Vulnerability POC and execution result:

Through the above cases and summary, I believe we can further improve the ability of Python audit.

On how to analyze Python code audit deserialization and command execution is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.