Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: Google Apps Engine
From: "Aidan Thornton" <makosoft () googlemail com>
Date: Sat, 12 Apr 2008 09:09:09 +0100

On 4/11/08, Lutz Böhne <lboehne () damogran de> wrote:

Even those could easily be sanitized by just some fun with function
pointers.

    >>> open=lambda *x: "no"
    >>> open('/etc/passwd')
    'no'


Unless there are other ways to find these functions:

    >>> __builtins__.__dict__["open"]( '/etc/passwd')
    <open file '/etc/passwd', mode 'r' at 0xb7dac7b8>

or even:

    >>> open=lambda *x: "no"
    >>> open('/etc/passwd')
    'no'
    >>> del open
    >>> open('/etc/passwd')
    <open file '/etc/passwd', mode 'r' at 0xb7db44a0>

Python is fun, there are so many ways to have it do what you want ;)

It might be possible to remove these functions like this:

    >>> del __builtins__.__dict__["open"]
    >>> open('/etc/passwd')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    NameError: name 'open' is not defined
    [...]

But i don't know whether that'd get rid of all problems.

Best regards,

Lutz



Hi,

The quick answer is no, it wouldn't be enough. For example, try
type(sys.stdin)('/etc/passwd') or the equivalent
sys.stdin.__class__('/etc/passwd'). Also, as
http://mail.python.org/pipermail/python-dev/2006-July/067291.html
points out, file can be obtained from object.__subclasses__(). (object itself can be found by working up the 
inheritance tree from any new-style class - say, a string - using __bases__)

Python's powerful introspection support and lack of data hiding make
doing any sort of meaningful sandboxing within the language itself very difficult. There used to be a bundled module 
called rexec to do this (via a combination of hooks into the interpreter and built-in support), but it was depreciated 
due to security issues. They might be doing something similar - it seems to strip what functions from native-code 
modules can be imported to some safe whitelist (and load all modules written in Python within the sandbox).

Aidan
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]