New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
virtualenv Sandbox escape #1207
Comments
CVE-2018-17793 has been assigned to this issue (not requested by me). |
Could you please explain the security impact here? Calling bash to get back to the normal shell does not seem like a vulnerability to me. I do not think that anyone was under the impression that virtualenv allows you to safely run untrusted shell commands, that is not what it is for. |
I asked MITRE to reject the CVE |
Normal as follows:
|
Yes, and if you jump off a building you might hit something on the way down. It doesn't really matter since you're already in big trouble from jumping to begin with. |
PYTHON in the sandbox is not 100% secure, and vulnerabilities can result in bypassing the sandbox protection. What are the reasons for using the sandbox? |
@BakedPotato999 Python in the virtualenv "sandbox" is 0% secure; it's neither designed to nor does it provide any protection against malicious code. You seem very confused about the purpose of virtualenv. |
I think the applications running in this Virtualenv are independent and will not affect your existing operating system. Closing the sandbox will restore all operations. With the sandbox, you can test programs and software that might be risky. Is that right? |
Nope, completely wrong. The purpose of a virtualenv is to let you use a specific Python interpreter and set of Python packages (instead of the system- and userdir-installed packages) to run programs in an otherwise normal environment. The "sandbox," such as it is, should by default not include system and user packages, just the ones installed in the virtualenv. But there's nothing stopping you from, e.g., changing Nor should anything stop you from doing that. The Python interpreter in a virtualenv should be able to do all operations that the system Python interpreter (if any) can do when run by the same user. To do otherwise would break many common and expected uses of a virtualenv. |
@BakedPotato999 |
I'll close this as invalid. |
I just wonder, how did you come with virtualenv being a I searched through docs, github and with a
which links to http://wiki.pylonshq.com/display/pylonscookbook/Using+a+Virtualenv+Sandbox (which has By the way, the url is dead and it is here https://github.com/pypa/virtualenv/blob/384c8d13490f171a7ad99eeedd7fe45021a83d87/docs/index.rst ;). |
The fact that there exists "exploit" now https://www.exploit-db.com/exploits/45528/ and that security trackers of major distros treat this as vulunerability is rather funny. |
I guess we might be able to use this as a privilege escalation, I’m going to try it actually |
Very amusing, ha ha and all that, but given that a CVE has been created for
this and several other trackers are also listing it, it's now reaching the
point of wasting significant time that should be spent on real security
issues, in other words, we now do have a sort of DoS on our security
infrastructure. So let's put this to bed now please: this "sandbox escape"
is not a vulnerability.
|
@0cjs I just proved it can be used to gain root access, how is that not a vulnerability? |
One plausible explanation for the above is that the blanked-out lines in your screenshot include |
@0cjs I actually blanked it out because it worked, I’m still testing to ensure it wasn’t because of my outdated system, I’m actually in agreement that it was a different kernel exploit that happened to show itself within virtualenv, once again testing still. |
Well, you should confirm things a little more before you report tools that, by design, allow you to run arbitrary programs and code as the current user. Reporting this as a virtualenv vulnerability makes about as much sense as reporting it as a Bash vulnerability because you also used Bash above, or a GCC vulnerability because it was used to compile some code you ran at some point. |
I didn’t report anything...? |
root@kali:~/test_env#python $(bash >&2) Wow, that's nice, but you don't really need to use $()...you could just... root@kali:~/test_env#echo "this is quackery" to "bypass" the virtualenv sandboxing mechanisms. |
@BakedPotato999 you managed to get from executing arbitary python (or other) code as root... to executing arbitrary python (or other) code as root. What do you suggest is security problem that pops up from the former situation to the latter? |
Woah, what a serious issue. How can I use software meant to do one thing if it can not securely do some thing else? Please advise. |
@Ednix liveoverflow? |
@Ednix You can't. You must never use a Unix shell again because it can't be securely used for some purposes. |
In fact, let's never use computers again. Dangerous things they are, they can be used for many purposes. |
In fact this "issue" reminded me that it may be possible to use for addressing #1334 - does anyone has some POC code that we can start with? |
Nexus by Sonatype provides a proxy for pypi.org. The proxy allows quarantining any package with a vulnerability score over a given threshold. Due to this misguided CVE virtualenv has been quarantined. When misunderstandings result in CVEs being filed it has real impact on users, as well as the waste of contributor time and effort. Sorry if that is stating the obvious but this issue is impacting me directly. |
MITRE set the CVE to disputed. Maybe you can get Sonatype to honor this information. |
We shouldn't live at all, life is dangerous |
Exploit Title: virtualenv Sandbox escape
Date: 2018-9-30
Exploit Author: Topsec Technologies Inc. - vr_system
Version: 16.0.0
Tested on: kali linux
CVE : None
The text was updated successfully, but these errors were encountered: