BAN-B607 · Audit: Starting a process with a partial executable path

Audit: Starting a process with a partial executable path BAN-B607

Security

Minor

3 months ago — 4 years old

Starting a process with a partial executable path

152        return subprocess.check_output(['uname', '-mrs']).strip().decode()
153    except FileNotFoundError:
154        logging.warning('Please install lsb_release to detect the platform!')
155        return subprocess.check_output(['uname', '-mrs']).strip().decode()156
157
158def init():

Starting a process with a partial executable path

ajenti-core/aj/__init__.py

149    try:
150        return subprocess.check_output(['lsb_release', '-sd']).strip().decode()
151    except subprocess.CalledProcessError as e:
152        return subprocess.check_output(['uname', '-mrs']).strip().decode()153    except FileNotFoundError:
154        logging.warning('Please install lsb_release to detect the platform!')
155        return subprocess.check_output(['uname', '-mrs']).strip().decode()

Starting a process with a partial executable path

ajenti-core/aj/__init__.py

147
148def detect_platform_string():
149    try:
150        return subprocess.check_output(['lsb_release', '-sd']).strip().decode()151    except subprocess.CalledProcessError as e:
152        return subprocess.check_output(['uname', '-mrs']).strip().decode()
153    except FileNotFoundError:

Starting a process with a partial executable path

ajenti-core/aj/__init__.py

131
132    if dist == '':
133        try:
134            dist = subprocess.check_output(['strings', '-4', '/etc/issue']).split()[0].strip().decode()135        except subprocess.CalledProcessError as e:
136            dist = 'unknown'
137

Starting a process with a partial executable path

ajenti-core/aj/auth.py

194    def check_sudo_password(self, username, password):
195        if not aj.config.data['auth'].get('allow_sudo', False):
196            return False
197        sudo = subprocess.Popen(198            ['sudo', '-S', '-k', '-u', username, '--', 'ls'],199            stdin=subprocess.PIPE,200            stdout=subprocess.PIPE,201            stderr=subprocess.PIPE,202        )203        o, e = sudo.communicate(password.encode('utf-8') + b'\n')
204        if sudo.returncode != 0:
205            raise SudoError((o + e).decode('utf-8').splitlines()[-1].strip())

Description

Python possesses many mechanisms to invoke an external executable. If the desired executable path is not fully qualified relative to the filesystem root then this may present a potential security risk.

In POSIX environments, the PATH environment variable is used to specify a set of standard locations that will be searched for the first matching named executable. While convenient, this behavior may allow a malicious actor to exert control over a system. If they are able to adjust the contents of the PATH variable, or manipulate the file system, then a bogus executable may be discovered in place of the desired one. This executable will be invoked with the user privileges of the Python process that spawned it, potentially a highly privileged user.

This test will scan the parameters of all configured Python methods, looking for paths that do not start at the filesystem root, that is, do not have a leading ‘/’ character.

Bad practice

import subprocess

subprocess.run(['calculator', '-u', 'critical', msg], check=True) # Sensitive, Path not qualified from root

References:

Bandit B607
OWASP Top 10 2021 Category A03 - Injection

ajenti / ajenti

Bad practice

Recommended

References: