Mazuva mashoma apfuura yakaburitsa nzira yekupfuura Python's isolated code execution system, zvichibva pakushandiswa kwechipembenene chakazivikanwa kwenguva refu chakaonekwa muPython 2.7, chakaonekwa muna 2012, uye chisati chagadziriswa muPython 3.
Izvo zvinotaurwa kuti iyo bug inobvumira kushandisa yakanyatso sungwa python kodhi kuti utange kufona kundangariro yakatosunungurwa (Shandisa-After-Free) muPython. Pakutanga, zvaifungidzirwa kuti kukanganisa hakumiriri kutyisidzira kwekuchengetedza uye chete muzviitiko zvisingawanzoitiki, kazhinji zvakagadzirwa nemaoko, zvinogona kutungamirira kumagumo asina kujairika kwechinyorwa.
Mumwe muongorori wekuchengetedza ari pasi pezita rekunyepedzera kn32 akafarira dambudziko uye akakwanisa kugadzirira kushandiswa kunoshanda kunoita kuti zvikwanise kufonera chero system yekuraira pasina kuwana zvakananga nzira senge os.system.
Iko kushandiswa kunoitwa muPython yakachena uye inoshanda pasina kuunza kunze maraibhurari ekunze uye pasina kuisa "code.__new__" mutyairi. Pazvikorekedzo, "builtin.__id__" chete ndiyo inoshandiswa, iyo isingarambidzwe. Padivi rinoshanda, kodhi yakarongwa inogona kushandiswa kunzvenga nzira dzekuzviparadzanisa nevamwe mumasevhisi akasiyana siyana uye nharaunda (semuenzaniso, munzvimbo dzekufunda, mabhomba epamhepo, akavakirwa-mukati ma controller, nezvimwewo) izvo zvinobvumira kuurayiwa kwePython kodhi, asi kudzikisira zviripo. kufona uye kusatendera nzira dzekupinda dzakadai se os.system.
Kodhi yakarongwa ianalogue ye os.system call, iyo inoshanda nekushandisa kusagadzikana muCPython. Iko kushandiswa kunoshanda neshanduro dzese dzePython 3 pa x86-64 masisitimu uye yakagadzikana paUbuntu 22.04 kunyangwe iine PIE, RELRO uye CET kuchengetedza modhi inogoneswa.
Basa racho inovira kusvika pakuwana ruzivo nezvekero yeimwe yemabasa kubva kuPython kodhi mune iyo CPython inogoneka kodhi.
Zvichienderana nekero iyi, iyo base kero yeCPython mundangariro uye kero yesystem () basa mune yakarodha libc muenzaniso inoverengerwa. Pakupedzisira, shanduko yakananga kune yakapihwa kero system inotangwa nekutsiva chinongedzo chenharo yekutanga netambo "/bin/sh".
Nzira iri nyore yekushandiswa ndeyekugadzira runyoro rune hurefu hwakaenzana nehurefu hwebhafa yakasunungurwa, iyo inogona kunge iine chinhu chayo buffer (ob_item) yakagoverwa munzvimbo imwechete neyakasunungurwa buffer.
Izvi zvinoreva kuti tichawana "maonero" maviri akasiyana pachikamu chimwe chendangariro. Imwe maonero, memoryview, inofunga kuti ndangariro ingori nhevedzano yemabyte, yatinogona kunyorera kana kuverenga kubva tisina. Yechipiri maonero ndiyo rondedzero yatakagadzira, iyo inofunga ndangariro irondedzero yePyObject anonongedzera. Izvi zvinoreva kuti tinogona kugadzira maemail ePyObject emanyepo kumwe kundangariro, nyora kero dzavo kune rondedzero nekunyorera kundangariro yendangariro, uye tozoawana nekunongedza rondedzero.
Panyaya yePoC, vanonyora 0 kune buffer (mutsara 16) vobva vawana nekudhinda(L[0]). L[0] inowana yekutanga PyObject* inova 0, uye ipapo kudhinda kunoedza kuwana mamwe minda mairi, zvichikonzera kushaikwa kwekunongedza.
Izvo zvinotaurwa kuti iyi bug iripo mune ese python shanduro kubvira angangoita python 2.7 uye kunyangwe iko kushandiswa kwakagadzirirwa kushanda pane chero shanduro yePython 3, izvi hazvireve kuti haigone kudhindwa muPython 2 (maererano nemunyori).
Chinangwa chekushandisa ndechekudaidza system ("/bin/sh"). vane nhanho dzinotevera:
- CPython leak binary function pointer
- Verenga CPython base kero
- Verenga kero yesystem kana yako PLT stub
- Svetukira kukero iyi nenharo yekutanga yakanongedza ku/bin/sh
- Win
Pakupedzisira, zvinonzi kushandiswa hakuzobatsiri mune zvakawanda zvigadziridzo. Nekudaro, inogona kubatsira kune vaturikiri vePython vachiedza kusiyanisa kodhi, kurambidza kunze kwenyika kana kushandiswa kweAudit Hooks.
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo nezvechinyorwa, unogona kubvunza chinyorwa chepakutanga mu inotevera chinongedzo.