21.Python-library-hijacking

Check SUID/SGID Script Permissions

ls -l <script_name>.py

Check Script Contents

cat <script_name>.py

Find Library Location

grep -r "def <function_name>" /usr/local/lib/python3.8/dist-packages/<library_name>/

Check Library Permissions

ls -l /usr/local/lib/python3.8/dist-packages/<library_name>/__init__.py

Modify Library (Insert Malicious Code)

nano /usr/local/lib/python3.8/dist-packages/<library_name>/__init__.py

Run Script (With sudo if needed)

sudo python3 <script_name>.py

Key Concepts:

  • Python Libraries:

    • Modules that extend Python's functionality.

    • Examples: NumPy, Pandas, psutil.

  • Import Mechanism:

    • Python searches for modules in a specific order.

    • sys.path shows the search path.

  • Hijacking Techniques:

    • Wrong write permissions on library files.

    • Manipulating the library search path.

    • Using the PYTHONPATH environment variable.

  • SUID/SGID:

    • Scripts with these bits set run with the owner's/group's privileges.

Attack Vectors and Exploitation:

  1. Wrong Write Permissions:

    • If a library file is writable by the attacker, they can modify it.

    • Inject malicious code into the library.

    • If a SUID/SGID script imports the library, the malicious code runs with elevated privileges.

  2. Library Path Manipulation:

    • Python searches for libraries in a specific order (defined by sys.path).

    • If a higher-priority directory is writable, the attacker can place a malicious library there.

    • Python will import the malicious library instead of the legitimate one.

  3. PYTHONPATH Environment Variable:

    • The PYTHONPATH variable allows specifying additional library search paths.

    • If the attacker can control PYTHONPATH (e.g., via sudo), they can redirect Python to a malicious directory.

Exploitation Steps (as described):

  1. Wrong Write Permissions:

    • Identify a SUID/SGID Python script.

    • Identify the imported library.

    • Check the library's permissions.

    • Modify the library to inject malicious code.

    • Run the script.

  2. Library Path Manipulation:

    • Identify a Python script that imports a library.

    • Check sys.path to determine the library search order.

    • Identify a writable directory with higher priority.

    • Create a malicious library in that directory.

    • Run the script.

  3. PYTHONPATH Environment Variable:

    • Identify a Python script that imports a library.

    • Check sudo -l to see if you can set environment variables for the python binary.

    • Create a malicious library.

    • Set PYTHONPATH to point to the malicious directory.

    • Run the script.

Important Considerations and Enhancements:

  • Security Best Practices:

    • Use proper file permissions.

    • Avoid writable directories in the library search path.

    • Restrict sudo access.

    • Do not allow the setting of environment variables via sudo, unless absolutely needed.

  • Attack Scenarios:

    • Developer environments.

    • Web applications.

    • Automation scripts.

  • Mitigation:

    • Regularly audit file permissions.

    • Use virtual environments.

    • Use package managers (e.g., pip) to install libraries.

    • Use tools like bandit to scan python code for vulnerabilities.

  • Detection:

    • Monitor file system changes.

    • Use intrusion detection systems.

    • Monitor for unexpected Python library imports.

  • Real world examples: Researching real world python library hijacking exploits will help solidify understanding of the attack vectors.

  • Virtual Environments: Emphasize the importance of virtual environments for python development.

  • Pip Security: Emphasize the importance of only installing python packages from trusted sources.

Previous20.Shared-object-hijackingNext6.Recent 0-Days

Last updated