CPython bugs & risky features
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/60784 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
GoogolTrailSource codeInformation securityReverse engineeringControl flowPort scannerLoop (music)Exception handlingData typeModule (mathematics)Commutative propertyInclusion mapInterpreter (computing)CompilerClosed setMassAsynchronous Transfer ModeForceGamma functionPhysical systemMoving averageStatisticsKeyboard shortcutLarge eddy simulationStructural loadRun time (program lifecycle phase)CodeCache (computing)Configuration spaceOvalAliasingDirectory serviceScripting languageVariable (mathematics)Integrated development environmentRevision controlCryptographyInformation securityCuboidWordSign (mathematics)Block (periodic table)Software bugAttribute grammarCodeStatisticsLibrary (computing)Type theoryBitFunctional (mathematics)Line (geometry)Content (media)Interpreter (computing)Structural loadPhysical systemProjective planeResultantTerm (mathematics)NumberLink (knot theory)System callConfiguration spaceServer (computing)Process (computing)Directory serviceSystem administratorError messageRootAsynchronous Transfer ModeGastropod shellOcean currentOpen setReading (process)Cartesian coordinate systemInteractive televisionReverse engineeringModule (mathematics)AliasingSource codeVideo game consoleComputer fileState diagramOpen sourceCondition numberConstructor (object-oriented programming)BlogFlagTracing (software)Computer wormRight angleDynamical systemOrder (biology)Computer programmingProduct (business)Logic gateFlow separationQuantum stateCellular automatonInternetworkingWeightDean numberBoss CorporationRoutingShared memoryVotingHash functionData conversionStudent's t-testEndliche ModelltheorieDifferent (Kate Ryan album)Ferry CorstenObject (grammar)Network socketMultiplication signFreewareSpacetimeComputer-assisted translationComputer animationLecture/Conference
09:48
Lemma (mathematics)Maxima and minimaGEDCOMWorld Wide Web ConsortiumComputer fileRevision controlAsynchronous Transfer ModePoint (geometry)Greatest elementSurfaceComputer fileFreewareSource code
10:24
Computer fileCodeDirectory serviceTabu searchLine (geometry)Module (mathematics)Portable communications deviceModul <Datentyp>Maxima and minimaConnected spaceLattice (order)Process (computing)WritingCore dumpFile formatException handlingSource codeCodeTheory of relativityLibrary (computing)Type theoryVariable (mathematics)Integrated development environmentBitFunctional (mathematics)Line (geometry)Letterpress printingContent (media)Interpreter (computing)Configuration spaceBacktrackingDirectory serviceWeb pageInstallation artModule (mathematics)Source codeComputer fileWebsiteComputer wormSpacetimeMobile appSpeech synthesisSoftware testingSubsetProcess (computing)VotingLiquidObservational studyCorrespondence (mathematics)Endliche ModelltheorieFerry CorstenArmParticle systemMultiplication signRight angle
16:42
Pauli exclusion principleSequenceLimit (category theory)NumberCASE <Informatik>Asynchronous Transfer Mode
17:16
CodeAsynchronous Transfer ModeRevision controlNetwork socketString (computer science)File formatAddress spaceLibrary (computing)Object (grammar)Standard deviationFunction (mathematics)Binary fileDuality (mathematics)Web pageImplementationStatisticsData typeModulo (jargon)outputPhysical systemCodeImplementationParsingValidity (statistics)String (computer science)Functional (mathematics)Line (geometry)Physical systemNumberSoftware bugBinary fileError messageIP addressWeb browserAddress spaceComputer fileCondition numberDifferent (Kate Ryan album)Representation (politics)Network socketProxy serverDigital electronicsLibrary (computing)Bus (computing)Product (business)Binary codeRevision controlException handlingCASE <Informatik>Presentation of a groupBoss CorporationAsynchronous Transfer ModeRoutingPoint (geometry)SequelData conversionScalable Coherent InterfaceView (database)Endliche ModelltheorieCoefficient of determinationComputer animation
21:59
Information securityEmailVector potentialAddress spaceCodeFunctional (mathematics)Matching (graph theory)CASE <Informatik>Information securityPublic key certificateRow (database)Library (computing)Cellular automatonIP addressWebsiteSuite (music)
22:44
Letterpress printingImplementationParsingString (computer science)CryptographyNetwork socketData typeInteractive televisionCryptographySoftwareString (computer science)Functional (mathematics)Utility softwareCASE <Informatik>Hash functionIP addressAddress spacePasswordMultiplication signComputer wormParameter (computer programming)Social classScripting languageCondition numberRepresentation (politics)
24:04
String (computer science)Default (computer science)Data typeInteractive televisionWorld Wide Web ConsortiumCryptographySource codeVector potentialModule (mathematics)Pauli exclusion principleRevision controlFunction (mathematics)PasswordSlide ruleInterpreter (computing)ImplementationNetwork socketCodeAsynchronous Transfer ModeAliasingCodeCryptographyFunction (mathematics)Library (computing)Level (video gaming)BitFunctional (mathematics)Line (geometry)Interpreter (computing)MereologyPauli exclusion principleSlide ruleLink (knot theory)Configuration spaceLogical constantParameter (computer programming)Software bugDirectory serviceAsynchronous Transfer ModeRandomizationExterior algebraHash functionIP addressModule (mathematics)Scripting languageFile formatCorrespondence (mathematics)AliasingGreatest elementComputer filePasswordDifferent (Kate Ryan album)Object (grammar)Network socketDefault (computer science)Data acquisitionRandom matrixBuildingWindowTask (computing)State of matterReliefForm (programming)QuicksortSystem callWeightPresentation of a groupPoint (geometry)Social classoutputCondition numberEndliche ModelltheorieProgram slicingRight angleDemo (music)Computer animation
29:59
Slide ruleInterpreter (computing)ImplementationFunction (mathematics)Network socketCryptographyCodeModule (mathematics)Asynchronous Transfer ModeLine (geometry)Group actionDirectory serviceCuboidLink (knot theory)Software bugOcean currentLecture/ConferenceComputer animation
30:47
Computer iconMaxima and minimaWorld Wide Web ConsortiumLine (geometry)Extension (kinesiology)System callDirectory serviceEndliche ModelltheorieDifferent (Kate Ryan album)CodeOcean currentModule (mathematics)Computer animationSource code
31:40
Attribute grammarExtension (kinesiology)Compilation albumAttribute grammarLibrary (computing)Line (geometry)Error messageReading (process)Module (mathematics)Lecture/ConferenceSource code
32:24
EmulationQuery languageHash functionWorld Wide Web ConsortiumSynchronizationStandard deviationHacker (term)Inheritance (object-oriented programming)SpacetimeBlogCanonical ensembleInformation securityLibrary (computing)Software testingMereologyFreewareMedical imagingSoftwareVirtual machineDifferent (Kate Ryan album)BitProcess (computing)Point (geometry)Right angleLecture/Conference
33:28
Gamma functionDependent and independent variablesWorld Wide Web ConsortiumLibrary (computing)MassPointer (computer programming)BuildingInformationMedical imagingOrder (biology)Decision theoryVirtual realityRight angleSource code
34:41
Process (computing)Asynchronous Transfer ModeView (database)Computer iconData typeInformationIntegrated development environmentVirtual realityModule (mathematics)WritingEndliche ModelltheorieLecture/Conference
36:10
Form (programming)Source codeLecture/Conference
Transcript: English(auto-generated)
00:06
Hey, I'm Disconnected, and as you could hear I will be talking about CPython bugs. So a few words about me. I work as a senior security engineer at Trailbits, Trailbits is a company where we perform security audits for our customers, and also do a lot of security research in
00:23
blockchain and cryptography and application security space. I also play capture-the-flag competitions, so those are security competitions where you play as a team and solve some security challenges. And I do a lot of low-level stuff and a little bit of reverse engineering when I have time,
00:43
and I also contribute to some open source projects. I also have a blog on the internet, but it's not very active, yep. So a quick question first. Who has ever been on this website, raise your hand, okay, lots of you, that's good. So this is the Python's bug tracker, and it looks like this, or maybe looked like
01:02
this, because currently it says that it migrated to GitHub, and it's currently read-only. But yeah, here are some recent stats from it, well, obviously it's closed already, so the stats are ending when it closed, but as you can see, there are like maybe around 60 to 80 bugs that are being opened on each month, and sometimes more of those
01:27
are closed, sometimes less, I mean in terms of numbers are closed, but there are still plenty of bugs that are opened for like a lot of years. So let's go to those bugs.
01:40
The first one I want to show you is about the read-line module, and the problem is that read-line module is loaded in interactive mode in Python, and this is an issue that was reported in 2011, and it also exists in Python 2 and 3, and let's maybe see how it works.
02:02
So the problem with read-line is that read-line is a library that is being used for, well, reading lines, and you basically read lines whenever you type something in the interpreter, right? So libread-line is a library written in C that is being used by CPython
02:21
whenever you use your interpreter, and the problem with it is that if you have something, some file like this written in C, where you, well, include some stuff, then you create a function, and you, well, have some content here like that prints some hack and then does some fancy stuff, and you add this attribute constructor here, and now if you compile
02:46
it properly, like, into a search library that you will call libread-line-so, now if you open Python, I can maybe also open another console with a netcat, oh, wait, minus L for
03:08
listen, yep, so if you now open Python after we have compiled this library in C, so now you open Python interpreter, okay, it did not work, wait, why?
03:20
It should have been working, oh, sorry, it shouldn't be libread-line-so, it should be read-line-so, right? So now if you open Python, it basically will execute whatever you had in this constructor function in this shared library, so when can this actually be a problem?
03:42
This can be a problem whenever you are an admin, you log in into your server, and then you go to some uploads directory, and you want to, for example, process some files in Python interpreter, and someone uploaded you this read-line-so library, then something like this can, well, trigger and execute, and it's likely unwanted, someone could say it's
04:05
a feature, by the way, it's maybe not really well seen here, but in this constructor, I have done this, and this is called a reverse shell, so I'm invoking a bash process here, so that it will basically spawn bash and forward its stdin and stdout to this TCP
04:26
socket, by the way, this dev TCP is a magic path supported by bash, so on the other console, I actually have this shell being spawned, well, the Python interpreter connected here, and now I can execute some commands, so this could be an attacker server on the
04:43
bottom, and on the top, it could be the admin server, right? Yeah, so this is really weird, this shouldn't really work like this, yeah, and there is another catch, so we can also investigate how this works more or less, if only I would
05:03
close it, okay, I close this, okay, let me do it, so you can investigate it using strace on Linux, strace is a tool to basically trace system calls on Linux, so there is this open add system call, whenever a file is being opened, and you can do something
05:22
like this, I need to forward std error into stdout, because strace is printing things on std error, so if I launch strace like this, it will basically show me all the files that the Python interpreter has opened, with this open add syscall, there are also other syscalls like open, but we don't really care about them, but I also want
05:43
to grab this results for looking into .so, so I only want to see whenever it loads like shared objects, so dynamically loaded libraries in C, so if we do this, we can see that this read line so is being loaded here, right, and some other libraries that
06:02
are standard libraries used by C programs, as C Python is a C program, if I type something in this interpreter and press enter, there are much more libraries that are being loaded, which means that the interpreter first loads some libraries, and then it will load even more of them whenever you will actually type something in and press enter.
06:23
So as you can see, here are some, a lot of libraries are there, right, and for example, there's this bz2, lzma, hashlib, there should also be like SSL library loaded, JSON library, so it turns out that those libraries can also be loaded from the current working directory, which means that if we come back to our read line example,
06:46
I can remove this one because this one was not really used, and rename it to, for example, json.so, it could also be the longer name that we have seen in strace, and now type Python 3, you know, nothing happened, right, the payload did not get executed, I mean the malicious code,
07:03
but if I type something in, the interpreter will load the code and now it will also invoke this malicious library. Yeah, and so there are a few libraries that works like that, like that, as I said, for example, the bz2, lzma, JSON, SSL,
07:24
yeah, so can we actually mitigate this? Well, the answer is yes, and we can look over the CPython source code for the function that actually imports the read line module, it's called pi-mine-import-read-line, and we can see here this pi-import-import module,
07:40
so this actually also, I think this will also try to load read-line.py, I'm not sure, someone should probably try it, but the thing is that, you know, if there is a .so library that looks for Python as a valid shared object, then it will load it from current working directory, and there are some, like, if conditions here that, you know, we can skip this loading
08:04
of read-line module, and one of this is this config isolated, and that's called an isolate mode in Python, and if you look over the Python documentation or, you know, Python...help, you will see this minus i, where it says that it will run Python in
08:21
isolated mode. What it means, it means that it will also imply minus e and minus s, because there are two separate flags for the two different things, but basically this isolate mode will never add the current working directory into your sys.path. So it might be a good idea to actually alias your Python interpreter, like, you know, alias
08:44
python, python minus i, at least for your root user, because you never want to compromise it with your user, well, others as well, of course, and now if you do, you know, okay, Python 3 won't really...okay, so Python 3...do I have an alias for Python 3 now,
09:02
or did it just work because Python 3 links to Python 3? Let me maybe close this console and try again. Okay, so Python 3...oh, wait, it's executing this payload here, so if I do Python 3 minus i and then type something in, nothing happened.
09:20
It didn't really load this library right now, and by the way, this library should also be loaded with Python 2, but it doesn't work, but if we would change it to read-line-so and the Python...now it's loaded in Python 2. So this underscore JSON underscore bz2 only works in Python 3, but read-line-so works in both. Yeah, so that's one way to mitigate this,
09:46
but actually there was a pull request on May about fixing this, and it's already merged. But where the hell is merged? I mean, in which Python versions is it fixed?
10:00
So in GitHub, if you go to the pull request, you then have this merged commit on the bottom, you click on this, and then you can see the actual versions it's merged in. So it's merged into 3.11, but some beta versions, because 3.11 is not released yet, so I suppose this will be fixed in 3.11. But until then, it might be good to use this isolate mode for this.
10:26
Okay, so let's maybe look at another issue that is there. This another issue is called, well, there's a GitHub, sorry, the backtracker issue for this, and this is called deprecate and remove code execution in PTH files, which aka stands more
10:44
or less for code execution whenever you install a package and then launch a Python interpreter and not even import this package. And it was reported in 2018, and thanks to Arthur for this one, because he noticed me about this one.
11:00
But what are the PTH files? It turns out there is, of course, a documentation page for it in the site library or module. So the PTH files are basically path configuration files, and they can exist in some directories that are mentioned in the documentation,
11:21
and the contents of this file are additional items to be added to sys.path. But that's not everything. If you go further, it says that blank lines and lines beginning with comments are skipped, but lines starting with import followed by space or tab are executed.
11:42
Are executed lines starting with import. So first it says that the PTH files are path configuration files, where you basically add something to sys.path, and then it says that you can also execute lines starting with import. And there's a note that an executable
12:00
line in PTH file is run at every Python startup, regardless whether a particular module is actually going to be used. So you start Python, you don't import a module, but the PTH files, the lines that are executable, are executed. There is an explanation why it's there. The primary intended purpose of executable lines is
12:23
to make the corresponding modules importable, because you may have some kind of import hooks or adjust the path environment variable, or it may be required for your module. So that's the reason why this feature is there. But this feature is a bit problematic. So if we would like to test this feature, or a bug, or maybe just not a great design,
12:46
we can install this library, pip install delivery method. It's written by Artur, by the way, and you can see it on GitHub. But I would not really recommend you doing this, but we can do it here. So yeah, now I am on directory upper, so there is no this,
13:05
so the libreadline issue is not there anymore. So if I do pip install delivery method, I'm installing this Artur's package, and now if I type Python 3, there is some payload delivered print that is going on here.
13:21
Okay, so how does this work? We can actually see the package's contents if you do pip show files and the package name. And by the way, this also executes the payload. And you know, the package is installed in this directory, and here are all the files that are
13:40
in this package. So there is this aaaaa underscore delivery method dot pth file there. So let's look at its contents. Yep. And we go to this file. It basically does import sys and import delivery method. Okay, so what does import delivery method do? Because that's the
14:01
package, right? So delivery method py is also there, and it just prints this payload delivered. So this is how it works. But it's a bit more scary, because, you know, they said that the Python lines here are executed if they begin with import. So can I do this?
14:22
Print something? And you know, if I save it, it should just now work. And as you can see, I printed ASD there in this pth file. So it's not really a dot py file, but a pth file, and some lines of it are executed. Actually, not all of the lines, because if I would not start
14:42
a line with import, but if I would start it with just print, it would not be executed, because, you know, that's also what the documentation said, that the line has to start with import. So if we go to the source code, how it works, there is this app package function that is being responsible for processing these pth files within the site packages directory.
15:05
And, you know, it opens the file and then it enumerates over its lines, and if the line starts with comment, it just continues, but if it starts with import or import tab or import space, it will execute the line with exec. So this is how it works. And so, you know,
15:26
they said that some modules may be using it, right? And they should use it, they should use the pth files basically to add to syspath or maybe to import something. But there is this unintended feature that you can execute code as well, so let's see some packages that actually
15:46
leverage this feature or maybe a bug. So, for example, the pytest cost package, it does something like this in its pth file, and, you know, it's a module for pytest to get code coverage from your tests, and so it first imports os and sys and then executes some code.
16:04
If some, like, environment variable is there, then it will import init and initialize something. It seems this is something related to, like, subprocess coverage. No idea what's that for there, but yeah. Another example is the hunter module, so hunter is some module that can be
16:24
used for tracing your Python code, and it also executes some code, even simpler, right? It just executes some underscore private method from its own module. So can we actually prevent this behavior because it's a bit creepy or scary? So there was this PEP648 that was proposed some time ago,
16:49
and it's actually, it says that, you know, extensible customizations of the interpreter at startup. They wanted to improve this thing. Maybe not necessarily disabled completely, but
17:02
definitely, like, make it better. But its status is rejected, and it got rejected because it has a limited number of use cases and further complicates the startup sequence. Okay. There is another way we can do it. We can use the isolate mode again here, so
17:22
if I go back here, I have this, wait, where is this module? Did I remove it? Oh, I need an import here, right? Okay, so this is being executed, but if we do Python 3 minus i, so isolated mode, this is not happening anymore. So this is how we can mitigate it.
17:45
But yeah, note that this bug is about deprecate and remove code execution in PTH files. So they don't really want to execute all the code. They want the syspath appended feature being there, but they also want the import feature being there. So likely the PTH files
18:06
are going to stay there, but they don't want this, like, any code being executed in there. There was also a proposal to skip lines that have, you know, this not colon, I don't remember the character in it, but it was not really implemented.
18:23
So we will see how it goes. You know, it's already four years since it was reported, but it's still there. The next issue is about socket inet atom function, and it has some parsing issues on some libc versions, and I reported it in 2019,
18:43
it's still there. But yeah, let's see the documentation for this function. So socket inet atom is actually, like, function that is taken from libc, from the C library, and what it does, it converts an IP string, IPv4 address from, you know, its string
19:02
representation to the 32-bit packed binary format. So how does this work? If I do Python 3, Python here, import socket, socket inet atom, and do this, you will get the binary representation for this IP address. There are also more features into it, it also accepts
19:23
strings with less than three dots, like, you can have an IP address like this, and, you know, it will map in a weird way. You can even have this, you can even have some fancy number like this. This is treated as an IP address. By the way, at some point, web browsers
19:42
also accepted this, I'm not sure if they still do, but yeah, it could sometimes allow to, like, bypass some, you know, IP validation where IP was validated by just a string. Yeah, and there are some other weird things into it, and by the way, if you pass an incorrect
20:04
IP like this, or maybe like this, oops, why did it work? This is not a valid IP address here, but it actually worked, and, you know, this is something unwanted, especially if you kind of,
20:22
you may expect that if you use this function that it will properly, like, validate your IP address if it's a valid IP address, but apparently it does not, and now imagine such code on production, where you are taking the IP string from some requests and then you do an if condition or maybe a try accept, because, well, it throws an error here,
20:47
an exception, and you do something like this, or a system ping, blah, blah, blah. So where could such a code appear? Well, maybe in routers, and this was actually the case, but it was not really in Python, it was in C, like there was a C code that used this function,
21:05
and, you know, if you have something like this, or the system ping plus the IP string, then you can bypass the command here and you can execute arbitrary code whenever you pass a malicious IP address, and this was found by Blasty, for whom I also checked this issue in C
21:22
Python, so I looked into C Python how it uses socket inet atom, and, by the way, it's very important that this function is broken only in the glibc implementation, at least I believe, I'm not sure why exactly we are getting here this on Mac, so maybe it's also in the
21:42
LLVM's implementation as well, but, for example, if you use muscle or microlibc, it won't be there, I mean, this won't really be supported on those weird, on those other versions. Yeah, so there are the differences in libc implementations, obviously, so how it's used
22:01
in Python, so there was this issue within the SSL dot match hostname function in C Python, where if you did something like this, so you wanted to match a hostname for a given certificate that should, you know, match a given IP address, it was matching it, so this could actually be, you know, a security issue, because you may want to do some IP
22:25
filtering or match the, well, the certificate's hostname, but we didn't found any case where it was actually an exploitable, where someone could actually leverage this and do something malicious, but it is already fixed, and in this SSL library, the pull request is merged,
22:46
but I also found another case in the requests library, so I guess everyone knows requests, it's the library for like sending HTTP requests, but the thing is, it also has some like utility functions, so for example, you can find out if a given IP address belongs to a given
23:05
network or if it's an IPv4 address and so on, and you know, it's broken here, as you can see. I reported it some time ago, but nobody cared, so it's there, so maybe don't really use those
23:22
functions, and another thing I wanted to show you is this crypt.crypt function on Mac OS, so this crypt.crypt function is basically broken on Mac OS, and we can see it here,
23:41
if I import crypt, maybe let's do it in IPython, yeah, so first of all, let's see the documentation string for it, so the crypt.crypt is supposed to return a string representation, representing the one-way hash of a password with a salt prepended,
24:02
so maybe let's see how it works on Linux first, my payload is still executing here, so if I do something like this, and just to remember, the first argument is the word, so a password, and then you pass in a salt, which actually,
24:25
it uses some method that you specify there, yeah, so if we execute this crypt.crypt like this, whoops, wrong, yeah, so if we execute it like this, we are getting the password hashed,
24:41
we have a given hashing method, there's a default one, and the salt is prepended here, somewhere here, so the salt is, this is actually the salt, whatever is between the two dollars, and you know, the salt is randomized, and then you have the hash of the password with the salt,
25:00
with a given method, and by the way, you can find out this method with like man5.crypt, and you can look for like $6, for example, and $6 corresponds to shaf with 512.crypt, so shaf2 with 500 bit output, and yeah, there's a format as well for this,
25:21
but if we execute it in Mac OS, what happens? It gives us some weird output, and you know, we don't really see any salt being prepended here, even no method, so what is going on in here? The thing is that the script module,
25:42
wait, I need to do two asterisks here, or not, yeah, it has this .methods member, which tells you what are the crypt methods that you are supporting, and on Mac OS there is only one method here, on Linux you will have much more of them,
26:05
so as you can see, it's basically using a different default method, and you can't even use any other method that is there, so on Linux you can do something like abc and then probably crypt method, crypt, I believe, and you will get the same output as on Mac OS, right?
26:25
So this is a different crypt method, I don't really remember which one is that, but it's probably not very secure if it uses only this amount of bytes for hashing, right? It's probably brutable, like you can bruteforce it, but on Mac OS you can't really do other
26:44
methods because you don't have them supported, so if you try to do something like, wait, what was the name, like this, it, oh wait, it actually worked, so this is even more interesting because it worked only partially, because as you can see the output is still truncated here,
27:06
so it's even more broken, because you are getting now something that it's supposed to be hashed, but you know, you are only seeing part of it south, and the south is for some reason constant for a given input, or maybe it's, wait, maybe it's still using the old method,
27:26
I'm not sure, but it's basically broken, so you should really not use it if you want your code to be cross-platform, and if you go to the CRIT library's documentation, it says that it's
27:43
deprecated since 3.11, so there is this PEP 594 that details some alternatives, but you should definitely use an alternative which is using Hashlip module instead, because why would you use the CRIT method which is broken?
28:02
Basically, and that's all that I wanted to show you, so for a quick summary, be careful whenever you are using, you know, Python, invoking Python interpreter in random directories where there may be some files that you are not aware of what are those, because there is this lib read line SO and some other SOs or shared objects that may be loaded,
28:26
I haven't really checked whether this is also about like Mac OS or Windows, but I suppose it's probably yes, but it's going to be fixed in Python 3.11, and you can also use isolate mode, so it may be good to do this alias here.
28:43
Then there is also this PTH files, so path configuration files that may execute code on each Python startup, so isolate mode helps as well here, but other than that, there is no solution yet. Then there is this socket inet atom that you should not really use, so if you want to parse an IP address, you should probably use some IP address module instead of
29:03
just a pure libc function, because even though you might want to use something more low level and probably faster, it doesn't really work properly, as you can see, or it's supposed to work properly because the documentation states that those functions are just dispatching the
29:22
libc and whatever libc does is supposedly the correct solution, but I wouldn't say so. The request module has this bug when they use this socket inet atom, and there is this script being broken on Mac OS, and if you want to see the slides from the
29:47
presentation, there is the link at the bottom that you can use, and it has also the code for demos, so if you have any questions, I'm happy to answer them. Thank you.
30:04
Okay, please line up if you have questions. Is there anyone online with a question?
30:23
Thank you for your talk. I definitely learned a few things. I wanted to ask about the first bug. Is it because it's on the Python path or is it because in the current working directory? Yeah, so it's a great question. We can actually go to the pull request that fixes it,
30:40
because that's probably the easiest. Wait, I didn't link it here, so we can probably do something like... Oh, I have a link to it here. Yeah, so if we go to how it's being fixed... Yeah, I need to make it larger, of course. They basically moved this call to Py main
31:05
import read line to an earlier place in the code, and this is because here, I believe here, or maybe somewhere between those two differences, they are adding the current working directory to the sys path, so yes, indeed this is exactly it. That's why the module is imported,
31:25
because the current working directory is on the sys path whenever it's being imported, and they made this unintended mistake that allowed for this behavior. That probably means that I could simplify the code by just putting some Python there.
31:43
I don't need to compile C extension. Probably. I'm not sure. We can actually check this out very fast. I think it didn't work back then, but... Wait, did I name it SO? Sorry, guys.
32:02
Yeah, so this is how it looks, and yeah, it actually executed, but now it's... Now it gives you this attribute error here that you broke the read line module. So my question is, if they just moved the importing the read line only, does it fix the
32:27
underscore JSON and other such libraries as well? That's a good question, and if I would have pyenv here, I would install 3.11 and test it out, but I don't. I could probably maybe do something like...
32:50
Let's see what's the network here, if I have network. I have network, but it is probably too
33:00
slow. Oh, wait. This would take a bit, but I can do it maybe like this. Oh, I don't have... OK, different machine. Oh, maybe there is no image for Python 3.11 yet.
33:24
Maybe. We can see it in Docker Hub, if they have it here. That would be the fastest way to check it out. There is some Python 3.11. It should always be right. Yeah, I missed Python, right? Thank you.
33:52
I probably need to launch SH or maybe just Python, because maybe this... I want to see if this image has bash inside. They also don't have VM there,
34:04
so I would need to do something like this in order to test it. Wait, I would actually need to compile something. Let's see if we can do it very fast.
34:20
Wait, GCC is installed there. So now we need this. Maybe install VM again. If there is another question, I can maybe answer one fast one, but in the meantime... Yeah, I was wondering if you use minus... Is Python still very useful? Can you use
34:46
virtual environments still? That's a good question. We can see. I should have an environment here. Yeah, it is there. In this environment, I can import Pwn, whatever that is, by the way. If I do Python minus I and import Pwn, it still works.
35:06
The thing is that you won't be able to import whatever you have here, so if I have a module like A here in my current working directory, I can really import it, and normally I would be able to, so that's the issue here that is happening. Yeah, so coming back to this...
35:30
Sorry? I am in Docker. This shows me that I am in the Docker container. Sorry, it's not supposed to be libc, it's supposed to be JSON.
35:42
So maybe it's fixed. Maybe, because I don't know. Wait, yeah, we have to write something for JSON, so it seems it's probably fixed. Yeah, you know, there are only one Python here, so it seems it's fixed, but you never know, because this behavior is hard to detect, basically.
36:06
Maybe if I trace... Well, that's maybe not as-traced here. Yep, any more questions? Any questions online? Anyone in the room still have anything they'd like to ask?
36:23
Or any comments? Well, if not, let's thank Disconnected for this fantastic talk.