Having fun with pickle's stack language or "Using Beaker session may lead to remote code execution"
Felix Schwarz
as most of you know, you should *never* unpickle untrusted data like user
inputs because pickle is essentially a small stack language so you can do
quite a lot of things with it [1].
If you write a session library which stores session information from an
application, the data comes from the web application so that does not qualify
as "untrusted data" (unless the web applications is faulty but nothing in a
session library can prevent this kind of problems).
If you are using flat files on the disk it may appear to you that using the
session id as file name may be a good idea. Just get the storage directory and
concatenate it with the session id. Unpickle the data inside and the
application is ready to go.
Wait! There was a security hole in CherryPy just some months ago [2] labeled
"Malicious cookies may allow access to files outside the session directory".
This issue even got a CVE name [3]. Essentially the session id was not checked
at all so if you sent a 'session id' like '../../../foo' you could trick
CherryPy into reading the file named 'foo' and using its inputs as session data.
If the attacker was able to put an arbitrary file on the server (e.g. through
an upload function where the user could upload his files), he was able to get
arbitrary data into the session of the CherryPy app (like to have a username
like 'admin' or 'root'?).
Even worse, the attacker could overwrite arbitrary files (as long as the user
running CherryPy can write them) which can at least be used for a DOS attack
by destroying important program data.
Fortunately, this CherryPy bug was fixed long ago and if you use CherryPy 2.3
you are not vulnerable any more (if you store your sessions in a database
you were not vulnerable to this problem in the beginning).
Some weeks ago I decided to go for beaker[4] when building a new TurboGears
app. Just for fun I wanted to know how beaker prevented the session id
exploit. Beaker did not. It was vulnerable exactly in the same way CherryPy
was (look at encoded_path() in beaker.util).
Using a specially prepared 'pickle' file like the example below you can
execute arbitrary code as soon as beaker loads the session:
-----------------------
(S'echo 0wn3d'
p1
ios
system
(S'login'
S'bar'
S'_accessed_time'
F1207142018.5081761
S'_creation_time'
F1207142018.5081811
d.
-----------------------
Why do I write this post?
1. Two libraries had the same nasty bug. If you get some user data DO NOT
concatenate this data with a path to get a file name without sanitizing the
user input. Please look at the CherryPy fix [5] or the Beaker fix [6] on
how to solve the problem.
2. If you use new libraries, please do a short source code review :-)
3. I had much fun reading about pickle's data structures. [1] may provide you
with a short primer :-)
4. Beaker 0.9.4 fixes the problem above so if you use an older version, please
upgrade.
Happy TurboGears coding,
fs
[1] http://peadrop.com/blog/2007/06/18/pickle-an-interesting-stack-language/
[2] http://www.cherrypy.org/ticket/744
[3] CVE 2008-0252, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0252
[4] hhttp://pypi.python.org/pypi/Beaker/
[5] http://www.cherrypy.org/changeset/1773
[6] https://www.knowledgetap.com/hg/beaker/rev/678944e06a25,
https://www.knowledgetap.com/hg/beaker/rev/157ac6801b7b
Christopher Arndt
> Why do I write this post?
5. Nothing like digging into an interesting enigma to confirm how
stupid everybody else is! ;-)
Chris