473,320 Members | 1,951 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

when format strings attack

http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN

I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..

Jan 19 '07 #1
9 1714
<Er*********@msn.comescribió en el mensaje
news:11**********************@q2g2000cwa.googlegro ups.com...
http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN

I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..
Pure Python programs are not affected, but a review of the C implementation
should be made to see if any (variant of) printf is used without a proper
format. Anyway I doubt you could find something, because the vulnerability
is so well known for ages.

--
Gabriel Genellina
Jan 19 '07 #2

In article <ma***************************************@python. org>,
"Gabriel Genellina" <ga******@yahoo.com.arwrites:
|<Er*********@msn.comescribió en el mensaje
|news:11**********************@q2g2000cwa.googlegr oups.com...
|>
| http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
|
| I saw a warning from homeland security about this. I only comment on
| the because I am trying to use os.system('command1 arg') and it doesn't
| work but I do see examples with % that is borrowed from the c language.
| Seems like if I can write a batch file that does something the same
| behavior should happen in the os module..
|>
|Pure Python programs are not affected, but a review of the C implementation
|should be made to see if any (variant of) printf is used without a proper
|format. Anyway I doubt you could find something, because the vulnerability
|is so well known for ages.

Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Regards,
Nick Maclaren.
Jan 19 '07 #3
"Nick Maclaren" <nm**@cus.cam.ac.ukescribió en el mensaje
news:eo**********@gemini.csx.cam.ac.uk...
In article <ma***************************************@python. org>,
"Gabriel Genellina" <ga******@yahoo.com.arwrites:
|>
|Pure Python programs are not affected, but a review of the C
implementation
|should be made to see if any (variant of) printf is used without a
proper
|format. Anyway I doubt you could find something, because the
vulnerability
|is so well known for ages.

Not really. There are LOTS of vulnerabilities that have been known
for ages and are still legion. The reason that this is unlikely is
that it is both easy to spot and trivial to fix.
Yes... Anyway, unless someone actually *do* revise the code, if it's easy or
not has no importance. I think that some automated tools were used to find
problems, but I don't know if this specific vulnerability was searched.

--
Gabriel Genellina
Jan 19 '07 #4
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>j = "User %s just entered: " + k
print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string

On Jan 19, 10:44 am, "Gabriel Genellina" <gagsl...@yahoo.com.arwrote:
<Eric_Dex...@msn.comescribió en el mensajenews:11**********************@q2g2000cwa.go oglegroups.com...
http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN
I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work but I do see examples with % that is borrowed from the c language.
Seems like if I can write a batch file that does something the same
behavior should happen in the os module..Pure Python programs are not affected, but a review of the C implementation
should be made to see if any (variant of) printf is used without a proper
format. Anyway I doubt you could find something, because the vulnerability
is so well known for ages.

--
Gabriel Genellina
Jan 19 '07 #5
On Fri, 19 Jan 2007 03:51:08 -0800, Er*********@msn.com wrote:
http://www.ddj.com/184405774;jsessio...QCKHSCJUNN2JVN

I saw a warning from homeland security about this. I only comment on
the because I am trying to use os.system('command1 arg') and it doesn't
work
What do you mean, doesn't work? It works fine for me, precisely as
expected. What does it do for you? Crash Windows? Crash Python? Raise an
exception? Return an unexpected result?
but I do see examples with % that is borrowed from the c language.
The "When Format Strings Attack" article isn't relevant to Python. Unlike
C, Python doesn't arbitrary dump bytes from the stack into a string if you
print a string containing %s. In Python, print just prints strings, it
doesn't do any string formatting. String formatting is done by the %
operator, so print "a string containing %s" is safe.

You'd be better off looking at Python examples than C. This is what I'm
guessing you're doing:
>>command1 = 'dir'
args = '-l text.txt'
os.system('command1 arg')
sh: command1: command not found
32512

os.system doesn't do name-lookups of the string you pass to it. The right
way to do this is some variation on this:
>>commandline = "%s %s" % (command1, args)
commandline
'dir -l text.txt'
>>os.system(commandline)
-rw-rw-r-- 1 steve steve 333 Sep 24 16:51 text.txt
0

or even something like this:

os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
--
Steven.

Jan 19 '07 #6
At Friday 19/1/2007 15:43, John Zenger wrote:
>Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes. Example:
>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>j = "User %s just entered: " + k
print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
That's not a problem, it's an exception. *This* is a problem:
printf("Hello, %s")
--
Gabriel Genellina
Softlab SRL


__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas

Jan 19 '07 #7
On Fri, 19 Jan 2007 10:43:53 -0800, John Zenger wrote:
Perhaps it is not as severe a security risk, but pure Python programs
can run into similar problems if they don't check user input for %
codes.
Please don't top-post.

A: Because it messes up the order that we read things.
Q: Why?
A: Top-posting.
Q: What is the most annoying newsgroup habit?

Example:
>>>k = raw_input("Try to trick me: ")
Try to trick me: How about %s this?
>>>j = "User %s just entered: " + k
print j % "John"
Traceback (most recent call last):
File "<pyshell#8>", line 1, in ?
print j % "John"
TypeError: not enough arguments for format string
That's hardly the same sort of vulnerability the article was talking
about, but it is a potential bug waiting to bite.

In a serious application, you should keep user-inputted strings separate
from application strings, and never use user strings unless they've been
made safe. See Joel Spolsky's excellent article about one way of doing
that:

http://www.joelonsoftware.com/articles/Wrong.html

--
Steven.

Jan 19 '07 #8
Steven D'Aprano wrote:
os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.
There are also big risks like this

filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)

oops!

--
Jeremy Sanders
http://www.jeremysanders.net/
Jan 19 '07 #9
I will give the formatting a try. I noticed another formatting thing I
wasn't looking for. It is possible to have a \n at the end of a word
or at least that is how it is shown and fixed through python 2.5. I
had an error where 36\n isn't a number. easy to fix though.
Jeremy Sanders wrote:
Steven D'Aprano wrote:
os.system('dir -l %s' % 'text.txt')
Now, there is a security risk: you might set command1 yourself, and
allow the user to set args. If command1 is an external application
with a security hole, and the user provides arguments that trigger that
bug, then naturally your application will inherit whatever security
vulnerabilities the external application suffers from. No surprises there.

There are also big risks like this

filename = 'foo; rm importantfile'
cmd = 'ls %s' % filename
os.system(cmd)

oops!

--
Jeremy Sanders
http://www.jeremysanders.net/
Jan 20 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

15
by: Simon Brooke | last post by:
I'm investigating a bug a customer has reported in our database abstraction layer, and it's making me very unhappy. Brief summary: I have a database abstraction layer which is intended to...
10
by: Cocy | last post by:
Hi, This might be a sort of FAQ, but I don't see why, so I would someone help me to understand what's wrong? I've just created following code which wold trim white space(s) in a (given) string....
5
by: Dennis Myrén | last post by:
Hi. Is there a way to make sure that float, double and decimal data types never will be presented in a scientific notation? I have tried to round(Math.Round) float's to 7 decimals, double's to...
2
by: ramonred | last post by:
Hi, I am having trouble with a little piece of code that formats an SQL string. I am not looking for folks to debug my code, what I would like to know is how can I see the string that I've built...
5
by: Tim Marsden | last post by:
Hello, I am building a parameterised query in vb.net for execution against a SQL server database. I am using a OLEDB command and OLEDB parameters. If one of the parameters is a date I sometimes...
16
by: Al Reid | last post by:
First, I'm using vb2005. I have a string that is read from a barcode reader into a TextBox. The string is 6 characters long and represents a date (mmddyy). I want to display it to the user in a...
7
by: Carroll, Barry | last post by:
Greetings: Personally, I don't think top-posting is the most annoying newsgroup habit. I think it's making a big fuss about minor inconveniences. One of the nicest things about being human...
7
by: Rick | last post by:
With String.Format, if I have an incorrect number of args specified for a format string, compile fails. How can I implement similar design-time functionality for my own string functions?
7
by: Andrus | last post by:
How to create format string for decimal data type which shows blank for zero and default format otherwize ? I tried format string "f;f;#" but this shows f for nonzero numbers. Andrus. ...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.