Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdxMjUtcXJqdy02Zmcy
Malicious package may avoid detection in python auditing
Python Auditing Vulnerability
Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.
Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.
Usage
Install safety, insecure-package, and this package with pip in the same python environment. Order doesn't matter.
- pip install safety
- pip install insecure-package
- pip install dist/malicious-0.1-py3-none-any.whl
Run the check
safety check
You should see both Running my modified safety.check and that insecure-package is not listed in the results!
How it Works
Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.
- When you install this package, the
setup.pysettings installs amalicious.pthfile to yoursite-packagesdirectory. - The
malicious.pthfile gets loaded anytime Python starts, which in turn imports ourmaliciouspackage. - The
malicious/__init__.pypatches the safety library with a custom function to avoid detection.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdxMjUtcXJqdy02Zmcy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-7q25-qrjw-6fg2, CVE-2020-5252
References:
- https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2
- https://github.com/akoumjian/python-safety-vuln
- https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/
- https://pyup.io/posts/patched-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2020-5252
- https://github.com/advisories/GHSA-7q25-qrjw-6fg2
Blast Radius: 17.7
Affected Packages
pypi:safety
Dependent packages: 94Dependent repositories: 3,535
Downloads: 1,373,034 last month
Affected Version Ranges: < 1.9.0
Fixed in: 1.9.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7
All unaffected versions: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 3.0.0, 3.0.1, 3.1.0