BAN-B606 · Audit required: Starting a subprocess

Audit required: Starting a subprocess BAN-B606

Security

Minor

4 years ago — 5 years old

Starting a process without a shell.

200    elif os.path.basename(sys.argv[0]) in ['lore', 'lore.exe']:
201        args[0] = BIN_LORE
202    try:
203        os.execv(args[0], args)204    except Exception as e:
205        if args[0] == BIN_LORE and args[1] == 'console' and JUPYTER_KERNEL_PATH:
206            print(ansi.error() + ' Your jupyter kernel may be corrupt. Please remove it so lore can reinstall:\n $ rm ' + JUPYTER_KERNEL_PATH)

Starting a process without a shell.

lore/__main__.py

 556    port = parsed.port or os.environ.get('PORT') or '5000'
 557    args = [env.BIN_FLASK, 'run', '--port', port, '--host', host] + unknown
 558    os.environ['FLASK_APP'] = env.FLASK_APP
 559    os.execv(env.BIN_FLASK, args) 560
 561
 562def console(parsed, unknown):

Starting a process without a shell.

lore/__main__.py

 845    install_jupyter_kernel()
 846    args = [env.BIN_JUPYTER, 'lab'] + unknown
 847    print(ansi.success('JUPYTER') + ' ' + str(env.BIN_JUPYTER))
 848    os.execv(env.BIN_JUPYTER, args) 849
 850
 851def install_darwin():

Starting a process without a shell.

lore/__main__.py

 838    install_jupyter_kernel()
 839    args = [env.BIN_JUPYTER, 'notebook'] + unknown
 840    print(ansi.success('JUPYTER') + ' ' + str(env.BIN_JUPYTER))
 841    os.execv(env.BIN_JUPYTER, args) 842
 843
 844def lab(parsed, unknown):

Starting a process without a shell.

lore/__main__.py

 570
 571    print(ansi.success('JUPYTER') + ' ' + str(env.BIN_JUPYTER))
 572    os.environ['PYTHONSTARTUP'] = startup
 573    os.execv(env.BIN_JUPYTER, args) 574
 575
 576def execute(parsed, unknown):

Description

Spawning of a subprocess in a way that doesn't use a shell is generally safe, but it maybe useful for penetration testing workflows to track where external system calls are used.

Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input.

import os

# Creating subprocess:
# The following calls can be sensitive if the command is not sanitized, since they are starting a subprocess.
os.spawnl(mode, path, *cmd)
os.spawnle(mode, path, *cmd, env)
os.spawnlp(mode, file, *cmd)
os.spawnlpe(mode, file, *cmd, env)
os.spawnv(mode, path, cmd)

References:

OWASP Top 10 2021 Category A03 - Injection
SANS Top 25
CWE-78

sanketsaurav / lore

References: