Message 316638 - Python tracker

Message316638

Author	abigail
Recipients	abigail, paul.moore, steve.dower, tim.golden, zach.ware
Date	2018-05-15.11:01:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1526382091.26.0.682650639539.issue33515@psf.upfronthosting.co.za>
In-reply-to

Content
It's possible to invoke an application without interpreting any of its arguments as shell magic: >>> print(subprocess.check_output(["C:/testapplication.exe", "foo", "&&", "echo", "%PROGRAMFILES%"])) Hello world from application! 5 arguments: Argument 0: 'C:/testapplication.exe' Argument 1: 'foo' Argument 2: '&&' Argument 3: 'echo' Argument 4: '%PROGRAMFILES%' But not so for batch scripts: >>> print(subprocess.check_output(["C:/testscript.bat", "foo", "&&", "echo", "%PROGRAMFILES%"])) Hello world from script! 2 arguments: Argument 0: 'C:/testscript.bat' Argument 1: 'foo' C:\Program Files I don't know if this is a fundamental limitation of Windows' batch script processing, or of the Win32 CreateProcess API, but this looks exploitable, as it allows shell injection: the subprocess docs warn about shell injection in a big red box, and promise you'll be safe if you a list of arguments and the default shell=False. Tested on Python 2.7.15 and Python 3.6.5.

Content

It's possible to invoke an application without interpreting any of its arguments as shell magic:

>>> print(subprocess.check_output(["C:/testapplication.exe", "foo", "&&", "echo", "%PROGRAMFILES%"]))
Hello world from application! 5 arguments:
Argument 0: 'C:/testapplication.exe'
Argument 1: 'foo'
Argument 2: '&&'
Argument 3: 'echo'
Argument 4: '%PROGRAMFILES%'

But not so for batch scripts:

>>> print(subprocess.check_output(["C:/testscript.bat", "foo", "&&", "echo", "%PROGRAMFILES%"]))
Hello world from script! 2 arguments:
Argument 0: 'C:/testscript.bat'
Argument 1: 'foo'
C:\Program Files

I don't know if this is a fundamental limitation of Windows' batch script processing, or of the Win32 CreateProcess API, but this looks exploitable, as it allows shell injection: the subprocess docs warn about shell injection in a big red box, and promise you'll be safe if you a list of arguments and the default shell=False.

Tested on Python 2.7.15 and Python 3.6.5.

History
Date	User	Action	Args
2018-05-15 11:01:31	abigail	set	recipients: + abigail, paul.moore, tim.golden, zach.ware, steve.dower
2018-05-15 11:01:31	abigail	set	messageid: <1526382091.26.0.682650639539.issue33515@psf.upfronthosting.co.za>
2018-05-15 11:01:31	abigail	link	issue33515 messages
2018-05-15 11:01:31	abigail	create