SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Python Vendors:  Python.org
Python SimpleXMLRPCServer May Let Remote Users Access Internal Data or Execute Arbitrary Code
SecurityTracker Alert ID:  1013083
SecurityTracker URL:  http://securitytracker.com/id?1013083
CVE Reference:  CAN-2005-0089   (Links to External Site)
Date:  Feb 3 2005
Impact:  Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.2 all versions, 2.3 prior to 2.3.5, 2.4
Description:  A vulnerability was reported in Python in the SimpleXMLRPCServer library module. A remote user can access internal module data, potentially executing arbitrary code.

The vendor reported that Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method are affected. A remote user may be able to view or modify globals of the module or other modules that contain the registered instance's class(es).

Situations where the registered object is a module present a serious risk. If, for example, the registered module imports the os module, then a remote user can invoke the os.system() function to execute arbitrary operating system commands.

The Python development team discovered this flaw.
Impact:  A remote user may be able to gain read and write access to internal module data and functions, potentially executing arbitrary code.
Solution:  The vendor plans to issue fixed versions (2.3.5, 2.4.1). Version 2.3.5 is to be released within a few days from their announcement and version 2.4.1 is to be released later in February 2005.

The vendor has issued patches for Python 2.2, 2.3, and 2.4, available at:

http://python.org/security/PSF-2005-001/patch-2.2.txt (Python 2.2)

http://python.org/security/PSF-2005-001/patch.txt (Python 2.3, 2.4)

The vendor notes that the patches disable recursive traversal, which may adversely affect some XML-RPC applications that use the feature.
Vendor URL:  www.python.org/security/PSF-2005-001/PSF-2005-001.txt (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 11 2005 (Mandrake Issues Fix) Python SimpleXMLRPCServer May Let Remote Users Access Internal Data or Execute Arbitrary Code   (Mandrakelinux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Feb 16 2005 (Red Hat Issues Fix) Python SimpleXMLRPCServer May Let Remote Users Access Internal Data or Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix.


 Source Message Contents
Date:  Thu, 3 Feb 2005 15:30:45 -0500
Subject:  http://www.python.org/security/PSF-2005-001/PSF-2005-001.txt

 
 
 
---------------------------------------------------------------------
Python Security Advisory
 
Advisory ID:  PSF-2005-001
Issue Date:   February 3, 2005
Product:      Python
Versions:     2.2 all versions, 2.3 prior to 2.3.5, 2.4
CVE Names:    CAN-2005-0089
---------------------------------------------------------------------
 
Python is an interpreted, interactive, object-oriented programming
language. It is often compared to Tcl, Perl, Scheme or Java.
 
The Python development team has discovered a flaw in the
SimpleXMLRPCServer library module which can give remote attackers
access to internals of the registered object or its module or possibly
other modules.  The flaw only affects Python XML-RPC servers that use
the register_instance() method to register an object without a
_dispatch() method.  Servers using only register_function() are not
affected.
 
On vulnerable XML-RPC servers, a remote attacker may be able to view
or modify globals of the module(s) containing the registered
instance's class(es), potentially leading to data loss or arbitrary
code execution.  If the registered object is a module, the danger is
particularly serious.  For example, if the registered module imports
the os module, an attacker could invoke the os.system() function.
 
But the attack is not limited to registered object modules; for
example, the code in the Python cookbook recipe at
http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/165375 is
vulnerable to an attack using im_func.func_globals.update which allows
reading or modifying the global variable accessList.
 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0089 to this issue.
 
Python 2.3.5 will be released from www.python.org within a few days
containing a fix for this issue.  Python 2.4.1 will be released later
this month containing the same fix.  Patches for Python 2.2, 2.3 and
2.4 are also immediately available:
 
- http://python.org/security/PSF-2005-001/patch-2.2.txt (Python 2.2)
 
- http://python.org/security/PSF-2005-001/patch.txt (Python 2.3, 2.4)
 
Note that these patches disable recursive traversal, potentially
resulting in reduced functionality of XML-RPC applications depending
on this feature.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC