OT: What's up with the starship?

[skip]

Shane> I'm trying to understand:

Shane> a) how urgent and/or exploitable this is,

Perhaps not very. As I indicated in an earlier post, the exploit has been
available since 2001, so it is probably fairly hard to exploit.

Shane> b) how I can check whether a given Python installation (running
Shane> on a server) has been patched, and

If it's running 2.4.4 or 2.5 it should be okay. If it's running some
earlier version a lot will depend on whether Python was installed by a Linux
distributor (in which case check their version numbers and their release
notes) or installed locally from source.

Shane> c) whether the security advisory downplays the risk more than it
Shane> should, since it appears that many Zope/Plone web servers are
Shane> vulnerable.

I can't pretend to divine the true meaning behind all the wording of the
various security advisories. You'd have to ask each one of the security
organizations.

Here's one example:

http://secunia.com/advisories/22276/

The application has to work with Unicode on a UCS-4-compiled version of
Python and use the repr() function on such Unicode strings. Furthermore,
the black hat would have to figure out how to get a suitably crafted Unicode
string into the repr() function at just the right place.

I'm not saying it can't be done, but I think it would be a fairly
challenging undertaking.

Skip

 

[Fredrik Lundh]

I admit I am totally flmmexed by your answer.
What does when the bug was introduced have to do with
anything?

oh, I thought your main concern was whether the packages available had
been compromised, and that you asked if that was the reason an advisory
was released last week.

if someone has developed an exploit for the vulnerability, chances are
that they'd attack more than just a single obscure and mostly abandoned
server.

</F>

 

[A.M. Kuchling]

suggests that it was sufficiently obscure that either a) nobody who knew
about it found a way to take advantage of it, or b) it was only recently

It might well be difficult to exploit to run arbitrary code because
your exploit code needs to have no unprintable bytes in it; repr()
turns unprintable characters into \xNN, after all, and isn't doing a
straightforward string copy. (But hackers can be very clever...)

--amk

 

[rurpy]

The files I downloaded were from sourceforge. I don't know if
starship.python.net hosts the source files or plays any role in
building the disrtribution package. It may be that is all done
elsewhere. But given starship.python.net's historical association
with Pywin32, I am not going to just assume that.

In email, Mark Hammond said that that the Pywin32 code is not
hosted at starship.python.net, nor are the distributions built there.
(I assume this does not apply to the very old win32all stuff that
*is* at python.net but I doubt anyone uses those anymore.)

 

[rurpy]

oh, I thought your main concern was whether the packages available had
been compromised,
Yes.

and that you asked if that was the reason an advisory
was released last week.

No, I asked if there was any relationship.
http://groups.google.com/group/comp.lang.python/msg/f1974d9b5a42639e?hl=en&

if someone has developed an exploit for the vulnerability, chances are
that they'd attack more than just a single obscure and mostly abandoned
server.

If someone's goal was to compromise machines by compromising
software that was likely to be installed by many people, they would
be wise to minimize the chance of detection by attacking as few
machines as possible. But given what mwh wrote earlier about the
incident, and what you say about starship.python.net's lack
of prominence, obviously it was unlikely their goal.

 

[Gabriel Genellina]

It might well be difficult to exploit to run arbitrary code because
your exploit code needs to have no unprintable bytes in it; repr()
turns unprintable characters into \xNN, after all, and isn't doing a
straightforward string copy. (But hackers can be very clever...)

Someone made years ago an UUDecode executable program consisting
entirely of printable ASCII characteres (.COM, for DOS, might still
work on XP...)


--
Gabriel Genellina
Softlab SRL





__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas