[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape
Sergey G. Brester
report at bugs.python.org
Fri Aug 24 15:44:10 EDT 2018
New submission from Sergey G. Brester <serg.brester at sebres.de>:
There is a vulnerability "insufficient escape of special chars for quoting of arguments by exec process" for python-language, if executing windows batch-files (bat/cmd).
### What version of python is affected?
All
### Does this issue reproduce with the latest master?
Yes
### What did you do?
Execution of batch-file using `subprocess` module with arguments containing some special meta-characters.
A recipe for reproducing the error as well as more extensive PoC with additional info (and more lang's affected also):
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/README.md
A complete runnable program:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/test-dump-inv.py
#### A simple example:
```diff
# invoke exe-file:
>>> import subprocess
>>> subprocess.call(['test-dump.exe', 'test&whoami'])
+ `test-dump.exe´ `test&whoami´
# invoke cmd-file:
>>> subprocess.call(['test-dump.CMD', 'test&whoami'])
- `test-dump.exe´ `test´my_domain\sebres
```
For more "broken" cases, see the result of my test-suite:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/results/python.diff
### What did you expect to see?
Arguments are escaped/quoted properly.
### What did you see instead?
Arguments are insufficient escaped/quoted, so it is vulnerable currently.
### Solution:
For possible solution see the github-PR#8906:
- https://github.com/python/cpython/pull/8906
For algorithm description:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/SOLUTION.md
resp. how it was fixed in TCL (C-code):
- https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch&to=0-day-21b0629c81 (see the function `BuildCommandLine`)
### Possible similar issues:
bpo-33515
----------
components: Library (Lib), Windows
messages: 324013
nosy: paul.moore, sebres, steve.dower, tim.golden, zach.ware
priority: normal
pull_requests: 8376
severity: normal
status: open
title: subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue34489>
_______________________________________
More information about the Python-bugs-list
mailing list