GHSA-7Q25-QRJW-6FG2

Vulnerability from github – Published: 2020-03-24 15:07 – Updated: 2024-10-21 21:06
VLAI?
Summary
Malicious package may avoid detection in python auditing
Details

Python Auditing Vulnerability

Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.

Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.

Usage

Install safety, insecure-package, and this package with pip in the same python environment. Order doesn't matter.

  1. pip install safety
  2. pip install insecure-package
  3. pip install dist/malicious-0.1-py3-none-any.whl

Run the check

  1. safety check

You should see both Running my modified safety.check and that insecure-package is not listed in the results!

How it Works

Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.

  1. When you install this package, the setup.py settings installs a malicious.pth file to your site-packages directory.
  2. The malicious.pth file gets loaded anytime Python starts, which in turn imports our malicious package.
  3. The malicious/__init__.py patches the safety library with a custom function to avoid detection.
Severity ?
5.0 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "safety"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-23T23:07:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Python Auditing Vulnerability\n\nDemonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.\n\nTools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.\n\n## Usage\n\nInstall `safety`, `insecure-package`, and this package with pip in the same python environment. Order doesn\u0026amp;#39;t matter.\n\n1. pip install safety\n2. pip install insecure-package\n3. pip install dist/malicious-0.1-py3-none-any.whl\n\nRun the check\n\n4. `safety check`\n\nYou should see both `Running my modified safety.check` and that `insecure-package` is not listed in the results!\n\n\n## How it Works\n\nEverything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.\n\n1. When you install this package, the `setup.py` settings installs a `malicious.pth` file to your `site-packages` directory.\n2. The `malicious.pth` file gets loaded anytime Python starts, which in turn imports our `malicious` package.\n3. The `malicious/__init__.py` patches the safety library with a custom function to avoid detection.",
  "id": "GHSA-7q25-qrjw-6fg2",
  "modified": "2024-10-21T21:06:25Z",
  "published": "2020-03-24T15:07:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akoumjian/python-safety-vuln"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/safety/PYSEC-2020-101.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyupio/safety"
    },
    {
      "type": "WEB",
      "url": "https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln"
    },
    {
      "type": "WEB",
      "url": "https://pyup.io/posts/patched-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious package may avoid detection in python auditing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.