when format strings attack

G

Gabriel Genellina

http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN

I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..
Click to expand...

Pure Python programs are not affected, but a review of the C implementation
should be made to see if any (variant of) printf is used without a proper
format. Anyway I doubt you could find something, because the vulnerability
is so well known for ages.
 
N

Nick Maclaren

|> <[email protected]> escribió en el mensaje
|> |>
|> > http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN
|> >
|> > I saw a warning from homeland security about this. I only comment on
|> > the because I am trying to use os.system('command1 arg') and it doesn't
|> > work but I do see examples with % that is borrowed from the c language.
|> > Seems like if I can write a batch file that does something the same
|> > behavior should happen in the os module..
|>
|> Pure Python programs are not affected, but a review of the C implementation
|> should be made to see if any (variant of) printf is used without a proper
|> format. Anyway I doubt you could find something, because the vulnerability
|> is so well known for ages.

Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.


Regards,
Nick Maclaren.
 
G

Gabriel Genellina

Nick Maclaren said:
|>
|> Pure Python programs are not affected, but a review of the C
implementation
|> should be made to see if any (variant of) printf is used without a
proper
|> format. Anyway I doubt you could find something, because the
vulnerability
|> is so well known for ages.

Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Click to expand...

Yes... Anyway, unless someone actually *do* revise the code, if it's easy or
not has no importance. I think that some automated tools were used to find
problems, but I don't know if this specific vulnerability was searched.
 
J

John Zenger

Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
 
S

Steven D'Aprano

http://www.ddj.com/184405774;jsessionid=BDDEMUGJOPXUMQSNDLQCKHSCJUNN2JVN

I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work
Click to expand...

What do you mean, doesn't work? It works fine for me, precisely as
expected. What does it do for you? Crash Windows? Crash Python? Raise an
exception? Return an unexpected result?
but I do see examples with % that is borrowed from the c language.
Click to expand...

The "When Format Strings Attack" article isn't relevant to Python. Unlike
C, Python doesn't arbitrary dump bytes from the stack into a string if you
print a string containing %s. In Python, print just prints strings, it
doesn't do any string formatting. String formatting is done by the %
operator, so print "a string containing %s" is safe.

You'd be better off looking at Python examples than C. This is what I'm
guessing you're doing:
sh: command1: command not found
32512

os.system doesn't do name-lookups of the string you pass to it. The right
way to do this is some variation on this:
-rw-rw-r-- 1 steve steve 333 Sep 24 16:51 text.txt
0

or even something like this:

os.system('dir -l %s' % 'text.txt')


Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
 
G

Gabriel Genellina

Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:

Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
Click to expand...

That's not a problem, it's an exception. *This* is a problem:
printf("Hello, %s")


--
Gabriel Genellina
Softlab SRL






__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
 
S

Steven D'Aprano

Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes.
Click to expand...

Please don't top-post.

A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?

Example:

Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
Click to expand...

That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.

In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing
that:

http://www.joelonsoftware.com/articles/Wrong.html
 
J

Jeremy Sanders

Steven D'Aprano wrote:
os.system('dir -l %s' % 'text.txt')


Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
Click to expand...

There are also big risks like this

filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)

oops!
 
E

Eric_Dexter

I will give the formatting a try. I noticed another formatting thing I
wasn't looking for. It is possible to have a \n at the end of a word
or at least that is how it is shown and fixed through python 2.5. I
had an error where 36\n isn't a number. easy to fix though.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

OT Annoying Habits (Was: when format strings attack) 7
hashing strings to integers for sqlite3 keys 22
U.S. warns on Java software as security concerns escalate 24
time.localtime() Format Question 1
sum and strings 56
Rough draft: Proposed format specifier for a thousands separator 39
Encrypted Connections Strings not safe in memory? 1
Problem generating functions from C strings 0

Members online

Total: 46 (members: 1, guests: 45)
Robots: 464

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,055
Latest member
SlimSparkKetoACVReview

Latest Threads

Top