21.Python-library-hijacking

Check SUID/SGID Script Permissions

ls -l <script_name>.py

Check Script Contents

cat <script_name>.py

Find Library Location

grep -r "def <function_name>" /usr/local/lib/python3.8/dist-packages/<library_name>/

Check Library Permissions

ls -l /usr/local/lib/python3.8/dist-packages/<library_name>/__init__.py

Modify Library (Insert Malicious Code)

nano /usr/local/lib/python3.8/dist-packages/<library_name>/__init__.py

Run Script (With sudo if needed)

sudo python3 <script_name>.py

Key Concepts:

• Python Libraries:

  • Modules that extend Python's functionality.

  • Examples: NumPy, Pandas, psutil.

• Import Mechanism:

  • Python searches for modules in a specific order.

  • sys.path shows the search path.

• Hijacking Techniques:

  • Wrong write permissions on library files.

  • Manipulating the library search path.

  • Using the PYTHONPATH environment variable.

• SUID/SGID:

  • Scripts with these bits set run with the owner's/group's privileges.

Attack Vectors and Exploitation:

1. Wrong Write Permissions:

   • If a library file is writable by the attacker, they can modify it.

   • Inject malicious code into the library.

   • If a SUID/SGID script imports the library, the malicious code runs with elevated privileges.

2. Library Path Manipulation:

   • Python searches for libraries in a specific order (defined by sys.path).

   • If a higher-priority directory is writable, the attacker can place a malicious library there.

   • Python will import the malicious library instead of the legitimate one.

3. PYTHONPATH Environment Variable:

   • The PYTHONPATH variable allows specifying additional library search paths.

   • If the attacker can control PYTHONPATH (e.g., via sudo), they can redirect Python to a malicious directory.

Exploitation Steps (as described):

1. Wrong Write Permissions:

   • Identify a SUID/SGID Python script.

   • Identify the imported library.

   • Check the library's permissions.

   • Modify the library to inject malicious code.

   • Run the script.

2. Library Path Manipulation:

   • Identify a Python script that imports a library.

   • Check sys.path to determine the library search order.

   • Identify a writable directory with higher priority.

   • Create a malicious library in that directory.

   • Run the script.

3. PYTHONPATH Environment Variable:

   • Identify a Python script that imports a library.

   • Check sudo -l to see if you can set environment variables for the python binary.

   • Create a malicious library.

   • Set PYTHONPATH to point to the malicious directory.

   • Run the script.

Important Considerations and Enhancements:

• Security Best Practices:

  • Use proper file permissions.

  • Avoid writable directories in the library search path.

  • Restrict sudo access.

  • Do not allow the setting of environment variables via sudo, unless absolutely needed.

• Attack Scenarios:

  • Developer environments.

  • Web applications.

  • Automation scripts.

• Mitigation:

  • Regularly audit file permissions.

  • Use virtual environments.

  • Use package managers (e.g., pip) to install libraries.

  • Use tools like bandit to scan python code for vulnerabilities.

• Detection:

  • Monitor file system changes.

  • Use intrusion detection systems.

  • Monitor for unexpected Python library imports.

• Real world examples: Researching real world python library hijacking exploits will help solidify understanding of the attack vectors.

• Virtual Environments: Emphasize the importance of virtual environments for python development.

• Pip Security: Emphasize the importance of only installing python packages from trusted sources.