Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tut] Python Library Hijacking – A Simple Demonstration on NumPy

#1
Python Library Hijacking – A Simple Demonstration on NumPy

<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;908596&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</div>
<p>In this blog post, I’ll show you how recreated a <strong>Python library hijacking vulnerability </strong>on my home network. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1021" height="571" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-224.png" alt="" class="wp-image-908642" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-224.png 1021w, https://blog.finxter.com/wp-content/uplo...00x168.png 300w, https://blog.finxter.com/wp-content/uplo...68x430.png 768w" sizes="(max-width: 1021px) 100vw, 1021px" /></figure>
</div>
<p>The <a href="https://tryhackme.com/room/wonderland" data-type="URL" data-id="https://tryhackme.com/room/wonderland" target="_blank" rel="noreferrer noopener">Wonderland box on TryHackMe</a> was the inspiration for exploring this kind of vulnerability.</p>
<p>In my previous <a href="https://blog.finxter.com/tryhackme-walkthrough-wonderland/" data-type="post" data-id="892288" target="_blank" rel="noreferrer noopener">Wonderland walkthrough blog post</a>, I highlighted an example of exploiting the ‘<code><a href="https://blog.finxter.com/python-random-module/" data-type="post" data-id="5030" target="_blank" rel="noreferrer noopener">random</a></code>’ module to switch users without knowing their password. </p>
<p>In this post, I’ll guide you through the setup and execution of the exploit. You can also watch the accompanying video tutorial here:</p>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/python-library-hijacking-demonstration/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FvXkGYLfQauk%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>What is Python Library Hijacking?</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="911" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-225.png" alt="" class="wp-image-908661" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-225.png 607w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 607px) 100vw, 607px" /></figure>
</div>
<p>When a user has permission to run a file as another user it is possible to create a <strong>spoof file</strong> that Python will load instead of the originally intended module or library. The necessary conditions for Python library hijacking are:</p>
<ol>
<li>The user must have sudo permissions to run a Python file <code>.py</code> as another user</li>
<li>The Python path must be set to look first in the folder where the spoof file is stored </li>
</ol>
<h2>Setup</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-226.png" alt="" class="wp-image-908664" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-226.png 608w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
</div>
<p>In order to re-create this vulnerability, I had to learn how to set up the above conditions for the exploit. </p>
<p>On my home network, I have a <a rel="noreferrer noopener" href="https://blog.finxter.com/getting-to-know-your-basic-uctronics-raspberry-pi-pico-kit/" data-type="post" data-id="892909" target="_blank">Raspberry Pi</a> 3b running DietPi operating system. Originally I set this up to run Pi-hole to filter ads out from my home network. </p>
<p>In order to set up the permissions to run a file as another user I edited the sudoers file with <code>visudo</code>. </p>
<p><a rel="noreferrer noopener" href="https://www.sudo.ws/docs/man/1.8.13/visudo.man/" data-type="URL" data-id="https://www.sudo.ws/docs/man/1.8.13/visudo.man/" target="_blank">Visudo</a> is a special editor specifically for editing the sudoers file. It only allows one user to edit the file at a time, and also checks user edits for correct syntax. I created a file called ‘<code>checkmypermissions.py</code>’ and granted sudo permissions to <code>vulnerableuser</code> to run it as user ben. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" loading="lazy" width="1024" height="238" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-219-1024x238.png" alt="" class="wp-image-908611" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-219-1024x238.png 1024w, https://blog.finxter.com/wp-content/uplo...300x70.png 300w, https://blog.finxter.com/wp-content/uplo...68x178.png 768w, https://blog.finxter.com/wp-content/uplo...ge-219.png 1249w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
</div>
<p>To do this I used the command ‘<code>sudo visudo</code>’ to edit sudoers file, and then I added the second line for vulnerable user:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="3" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""># User privilege specification
root ALL=(ALL:ALL) ALL
vulnerableuser ALL=(ben:1001) /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py</pre>
<p>The nice thing about <code>visudo</code> is that it checks your formatting to make sure that there are not any errors, and it will even suggest changes to help you format the permissions correctly. </p>
<p>This functionality helped me save time getting the correct spacing and punctuation on the new sudoers line.</p>
<h2>Running the Exploit</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-227.png" alt="" class="wp-image-908667" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-227.png 608w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
</div>
<p>Once the permissions were set up I ssh’d into <code>vulnerableuser@&lt;raspberry pi IP></code>. Running the ‘<code>sudo -l</code>’ command showed me the granular sudo permissions.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="809" height="266" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-220.png" alt="" class="wp-image-908621" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-220.png 809w, https://blog.finxter.com/wp-content/uplo...300x99.png 300w, https://blog.finxter.com/wp-content/uplo...68x253.png 768w" sizes="(max-width: 809px) 100vw, 809px" /></figure>
</div>
<p>The line above <code>(ben : 1001) /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py</code> shows that as <code>vulnerableuser</code> I can execute the <code>checkmypermissions.py</code> file <em>as the user Ben</em>.  </p>
<p>All that is left to do is to check the Python PATH to make sure that it checks first in the current directory, and then create a python file named <code>numpy.py</code> with code to spawn a shell. One way to check the Python PATH is:</p>
<p><strong>Python</strong></p>
<pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">import sys
sys.path</pre>
<p>In the example below, we can see that the python PATH is already set to search in the current working directory (<code>''</code>). </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="558" height="275" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-221.png" alt="" class="wp-image-908628" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-221.png 558w, https://blog.finxter.com/wp-content/uplo...00x148.png 300w" sizes="(max-width: 558px) 100vw, 558px" /></figure>
</div>
<p>Next we create the <code>numpy.py</code> file to spawn a <a href="https://blog.finxter.com/how-to-execute-python-shell-commands/" data-type="post" data-id="887777" target="_blank" rel="noreferrer noopener">shell</a>.</p>
<p><code><strong>nano numpy.py</strong></code></p>
<pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">import os
os.system("/bin/bash")
</pre>
<p>It is important to first set up execute permissions on the spoofed <code>numpy.py</code> file:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">chmod +x numpy.py</pre>
<p>Now we can carry out the python library hijack and spawn a shell as user ben without knowing their password by running the following command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -u ben /usr/bin/python3 /home/vulnerableuser/checkmypermissions.py  </pre>
<h2>Project Learnings</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="912" src="https://blog.finxter.com/wp-content/uploads/2022/11/image-228.png" alt="" class="wp-image-908669" srcset="https://blog.finxter.com/wp-content/uploads/2022/11/image-228.png 608w, https://blog.finxter.com/wp-content/uplo...00x300.png 200w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
</div>
<h3>Learning #1</h3>
<p>I learned that <strong>Visudo is a special editor within Linux</strong> to change the sudoers file <code>/etc/sudoers</code>. </p>
<p>It helps check formatting to avoid any errors or crashes from poorly written lines. The sudoers file allows the root user to granularize user permissions with the sudoers file on Linux.</p>
<h3>Learning #2</h3>
<p>Granting run as another user file permissions can expose a machine to library hijacking vulnerabilities. </p>
<p>Running <code>sudo -l</code> can help expose special user file permissions when enumerating for attack vectors to execute privilege escalation.</p>
<h3>Learning #3</h3>
<p>I found that it is helpful to compile a custom shortlist of Python and bash commands new to me for each project. I borrowed this strategy from my experience with language learning. </p>
<p>Over the years, I’ve improved my Mandarin by taking notes on new vocabulary words and grammar patterns. When working on a new topic area I would always create my own custom grammar and vocabulary lists for reference. </p>
<p>I’ve found that the simple act of focusing on recording a list helps to cement my learning and creates a nice reference for later use.</p>
</div>


https://www.sickgaming.net/blog/2022/11/...-on-numpy/
Reply



Forum Jump:


Users browsing this thread:
2 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016