Zimbalwa iintsuku ezidlulileyo ibhengeze indlela yokugqitha kwiinkqubo zokwenziwa kwekhowudi ezikwanti zePython, ngokusekelwe ekusebenziseni i-bug eyaziwayo ixesha elide elivele kwi-Python 2.7, echongiweyo kwi-2012, kwaye ingalungiswanga kwi-Python 3.
Kuyakhankanywa ukuba ibug ivumela ukusebenzisa ikhowudi yepython ebotshelelwe ngokukodwa ukuqalisa umnxeba kwinkumbulo esele ikhululiwe (Sebenzisa-Emva-Simahla) kwiPython. Ekuqaleni, kwakucingelwa ukuba impazamo ayibonisi isoyikiso sokhuseleko kwaye kuphela kwiimeko ezinqabileyo kakhulu, ngokuqhelekileyo zenziwe ngokwenziwa, kunokukhokelela ekuphelisweni okungaqhelekanga kweskripthi.
Umphandi wokhuseleko phantsi kwe-pseudonym kn32 waba nomdla kwingxaki kwaye wakwazi ukulungiselela ukuxhaphaza okusebenzayo okwenza kube lula ukubiza nawuphi na umyalelo wenkqubo ngaphandle kokufikelela ngokuthe ngqo kwiindlela ezifana ne-os.system.
I-exploit iphunyezwa kwiPython ecocekileyo kwaye isebenza ngaphandle kokungenisa amathala eencwadi angaphandle kwaye ngaphandle kokufaka "ikhowudi.__entsha__" umqhubi. Kumagwegwe, kuphela "builtin.__id__" esetyenziswayo, engathintelwanga ngokubanzi. Kwicala elisebenzayo, ikhowudi ecetywayo ingasetyenziselwa ukudlula iindlela zokuzihlukanisa kwiinkonzo ezahlukeneyo kunye neendawo (umzekelo, kwiindawo zokufunda, iigobolondo ze-intanethi, izilawuli ezakhelwe ngaphakathi, njl.njl.) ezivumela ukuphunyezwa kwekhowudi yePython, kodwa ukunciphisa okukhoyo. iminxeba kunye nokungavumeli iindlela zofikelelo ezifana ne-os.system.
Ikhowudi ecetywayo yi-analogue ye-os.system call, esebenza ngokuxhaphaza ubuthathaka kwiCPython. I-exploit isebenza kunye nazo zonke iinguqulelo zePython 3 kwiinkqubo ze-x86-64 kwaye izinzile ku-Ubuntu 22.04 kunye ne-PIE, i-RELRO kunye neendlela zokhuseleko ze-CET ezinikwe amandla.
Umsebenzi ibilisa ukufumana ulwazi malunga nedilesi yomnye wemisebenzi kwikhowudi yePython kwikhowudi ephunyeziweyo yeCPython.
Ngokusekelwe kule dilesi, idilesi yesiseko yeCPython kwinkumbulo kunye nedilesi yenkqubo () umsebenzi kumzekelo we libc elayishiweyo iyabalwa. Ekugqibeleni, inguqu ethe ngqo kwindlela yedilesi enikiweyo iqalwa ngokutshintsha isalathisi sengxabano yokuqala kunye nomtya "/bin/sh".
Eyona ndlela ilula yoxhatshazo kukwenza uluhlu olunobude obulingana nobude besikhuseli esikhululekileyo, esinokuthi sibe nesithinteli somba (ob_item) sabelwe kwindawo enye nesithinteli esikhululiweyo.
Oku kuya kuthetha ukuba siya kufumana "iimbono" ezimbini ezahlukeneyo kwindawo enye yenkumbulo. Enye imbono, i-memoryview, icinga ukuba imemori yintlaninge yee-bytes, esinokubhalela okanye sizifunde ngaphandle kwesizathu. Umbono wesibini luluhlu esilwenzileyo, olucinga ukuba imemori luluhlu lwezalathisi zePyObject. Oku kuthetha ukuba sinokwenza ii-imeyile ze-PyObject ezingeyonyani kwenye indawo kwinkumbulo, sibhale iidilesi zabo kuluhlu ngokubhalela kwi-memoryview, kwaye emva koko sifikelele kubo ngokufaka isalathiso kuluhlu.
Kwimeko ye-PoC, babhala u-0 kwi-buffer (umgca we-16) baze bafikelele kuyo ngokuprinta(L[0]). L[0] ifumana iPyObject* yokuqala engu-0, kwaye emva koko iprinte izama ukufikelela kweminye imihlaba kuyo, ikhokelela kwisalathiso esingekho sesikweni.
Kuyakhankanywa ukuba le bug ikhona kuzo zonke iinguqulelo zepython ukusukela ubuncinci ipython 2.7 kwaye nangona i-exploit yenzelwe ukusebenza phantse kuyo nayiphi na inguqulelo yePython 3, oku akuthethi ukuba ayinakwenziwa kwakhona kwiPython 2 (ngokombhali).
Injongo yokuxhaphaza kukufowunela inkqubo("/bin/sh"). abamanyathelo abo alandelayo:
- Isalathisi somsebenzi we-CPython ovuzayo
- Bala idilesi yesiseko yeCPython
- Bala idilesi yesixokelelwano okanye istub sakho sePLT
- Tsibela kule dilesi ngengxoxo yokuqala eyalatha ku/bin/sh
- Phumelela
Okokugqibela, kukhankanyiwe ukuba ukuxhaphaza akuyi kuba luncedo kuqwalaselo oluninzi. Nangona kunjalo, kunokuba luncedo kwiitoliki zePython ezizama ukwahlula ikhowudi, ukukhawulela ukungenisa elizweni okanye ukusetyenziswa kweeHoks zoPhicotho.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nenqaku, ungajongana noshicilelo lokuqala kwi ukulandela ikhonkco.