Contextual Code Execution in nuitka/nuitka
Reported on
Jun 4th 2022
Description
The main() function uses the eval() function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting NUITKA_PYTHONPATH, NUITKA_NAMESPACES or NUITKA_PTH_IMPORTED to a malicious payload string. This can lead to backdoors, reverse shells or reading/writing to privileged files.
One example of a similar vulnerability is CVE-2022-0845 in the popular pytorch-lightning repository. [See References]
Proof of Concept
- Set malicious payload
$ export NUITKA_PYTHONPATH='os.system("touch rickroll")'
- Run
nuitka/__main__.py - Code gets executed!
$ ls rickroll
rickroll
Impact
This vulnerability is capable of executing code on the target system in the context of the user running the program. This can allow an attacker to gain access to systems, read/write malicious files, etc
Remediation
A safe for patching the said vulnerability while preserving it's functionality would be to manually parse the environment variable and iterating over it to resolve the value of sys.path
Occurrences
__main__.py L108
setPreloadedPackagePaths(eval(os.environ["NUITKA_NAMESPACES"]))
__main__.py L45
sys.path = eval(os.environ["NUITKA_PYTHONPATH"])
__main__.py L117
setPthImportedPackages(eval(os.environ["NUITKA_PTH_IMPORTED"]))
I acknowledge the issue. I do not have an immediate fix. I guess using e.g. JSON dumps would be safe?
Well, yes, that could be safe. Also, what type of data do these fields contain? If it's booleans or numbers(integers/floats) you can use ast.literal_eval. If you can give me a general idea about the nature and type of data, I can try to come up with a fix. Thank You 😃
I have made a change for factory https://nuitka.net/doc/factory.html where I replaced all usages in Nuitka that are expecting to work on literals with ast.literal_eval which is a shame I didn't know exists. It will be in the 0.9 release, I do not plan any hotfixes for 0.8 right now being on holiday, i.e. less infrastructure.
Not sure what actions to take, or if I should make this a thing in the changelog, or how to credit you in the commit or changelog. I welcome suggestions. Trying to be a good upstream here.
I just saw there is a fix bounty, in my mind pointing out that function should mean you get that.
I'm just happy to help secure a repository I have been so intrigued by in the past. As for any credits, I believe @admin can assign this bug a CVE and that will be really helpful for users and organizations using the repository alike.
Thank you for maintaining and developing such an amazing project 😃
@whokilleddb - if you submit a fix using the controls on this report page, the maintainer will be able to credit you with finding and fixing the issue.
@maintainer - if you think this is a legitimate vulnerability, I encourage you to resolve this as valid using the Resolve button below 👇 👇 👇
Once you have a commit SHA for the fix, you can confirm the fix against the report as well. This will make the report public and publish a CVE for the report.
