Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Dailydave: Re: Google Apps Engine

Re: Google Apps Engine

From: Thomas Ptacek <tqbf_at_matasano.com>
Date: Sat, 12 Apr 2008 13:22:15 -0500

If you own the interpreter codebase, shouldn't it be possible just to
hook libc's open(2) stub, and give a unique signature to calls that
originated on a trusted code path? This doesn't seem at all hard to
me.

On 4/12/08, Aidan Thornton <makosoft_at_googlemail.com> wrote:
>
> On 4/11/08, Lutz Böhne <lboehne_at_damogran.de> wrote:
> > > Even those could easily be sanitized by just some fun with function
> > > pointers.
> > >
> > > >>> open=lambda *x: "no"
> > > >>> open('/etc/passwd')
> > > 'no'
> >
> > Unless there are other ways to find these functions:
> >
> > >>> __builtins__.__dict__["open"]( '/etc/passwd')
> > <open file '/etc/passwd', mode 'r' at 0xb7dac7b8>
> >
> > or even:
> >
> > >>> open=lambda *x: "no"
> > >>> open('/etc/passwd')
> > 'no'
> > >>> del open
> > >>> open('/etc/passwd')
> > <open file '/etc/passwd', mode 'r' at 0xb7db44a0>
> >
> > Python is fun, there are so many ways to have it do what you want ;)
> >
> > It might be possible to remove these functions like this:
> >
> > >>> del __builtins__.__dict__["open"]
> > >>> open('/etc/passwd')
> > Traceback (most recent call last):
> > File "<stdin>", line 1, in <module>
> > NameError: name 'open' is not defined
> > [...]
> >
> > But i don't know whether that'd get rid of all problems.
> >
> > Best regards,
> >
> > Lutz
> >
>
>
> Hi,
>
> The quick answer is no, it wouldn't be enough. For example, try
> type(sys.stdin)('/etc/passwd') or the equivalent
> sys.stdin.__class__('/etc/passwd'). Also, as
> http://mail.python.org/pipermail/python-dev/2006-July/067291.html
> points out, file can be obtained from object.__subclasses__(). (object itself can be found by working up the inheritance tree from any new-style class - say, a string - using __bases__)
>
> Python's powerful introspection support and lack of data hiding make
> doing any sort of meaningful sandboxing within the language itself very difficult. There used to be a bundled module called rexec to do this (via a combination of hooks into the interpreter and built-in support), but it was depreciated due to security issues. They might be doing something similar - it seems to strip what functions from native-code modules can be imported to some safe whitelist (and load all modules written in Python within the sandbox).
>
>
> Aidan
>
> _______________________________________________
> Dailydave mailing list
> Dailydave_at_lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 

-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Apr 13 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]