Language summit lightning talks

Posted Jun 8, 2017 20:51 UTC (Thu) by mb (subscriber, #50428)
In reply to: Language summit lightning talks by stevedower
Parent article: Language summit lightning talks

> it makes sense to focus on that one

No, it doesn't.
You're lost already if you can execute arbitrary binaries.
If that is python, bash, perl or anything else does not matter at all.

To make it even worse, the following sentence simply is complete nonsense:
> ... if you could somehow get one shell command executed on a workstation ... that command might well be something like: python

If you have a shell, you already have a turing complete language. You don't need Python.

Language summit lightning talks

Posted Jun 8, 2017 20:53 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (5 responses)

> If you have a shell, you already have a turing complete language. You don't need Python.

If your goal is to exploit a kernel vulnerability in a device driver then you're going to find it much easier to call ioctl() from Python than from bash

Language summit lightning talks

Posted Jun 9, 2017 9:31 UTC (Fri) by NAR (subscriber, #1313) [Link] (3 responses)

I think the question is not that is it easy or not, but is it possible or not. It's enough if one person implements and releases the technique to call ioctl() from shell (something like "upload this binary garbage, write it to a file, give execute permissions, execute with these parameters"), the rest of the world can (ab)use it. By the way, on the system I'm typing this comment, there's a tool called blockdev installed which (according to its manual) is used to "call block device ioctls from the command line". So it looks like calling some ioctls is not that complicated, at least on this system.

Language summit lightning talks

Posted Jun 9, 2017 18:41 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

If you've got some sort of executable control mechanism then uploading new binaries isn't going to get you very far. Python is definitely more interesting, since it doesn't have any mechanism for verifying that the code it's about to execute is itself trustworthy (especially since you can pass that code as an argument)

Language summit lightning talks

Posted Jun 10, 2017 0:25 UTC (Sat) by nybble41 (subscriber, #55106) [Link] (1 responses)

> So it looks like calling some ioctls is not that complicated, at least on this system.

It might be worth pointing out that Perl also provides a built-in mechanism for invoking raw ioctls on any file descriptor[1], so this issue is hardly specific to Python. If anything, a Perl script to perform ioctls would probably be more likely to work on arbitrary systems than the equivalent Python script. If an attacker can run code of their choice in just about any general-purpose scripting language, you've already lost.

[1] https://perldoc.perl.org/functions/ioctl.html

Language summit lightning talks

Posted Jun 10, 2017 7:22 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

Yeah Python certainly isn't special here, there's any number of interpreted languages that give the same capability. But bash isn't really one of them, and so it's reasonable to distinguish between "arbitrary shell access" and "I can execute a full featured language interpreter"

Language summit lightning talks

Posted Jun 9, 2017 15:38 UTC (Fri) by hkario (subscriber, #94864) [Link]

Do you know that regular bash can do TCP connections?

https://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip

from there:

exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat >&3

Language summit lightning talks

Posted Jun 9, 2017 10:47 UTC (Fri) by jwilk (subscriber, #63328) [Link]

Turing completeness is about computational power.
It's neither sufficient nor necessary to do malicious stuff.