A security researcher has created a proof of concept that reveals how a Python module installation file can execute malicious code with root privileges while remaining totally off the radar.
The Python programming language has been around for a long time, having first been released way back in 1991. It's also pretty damn popular; according to the TIOBE Programming Community Index for 2018 it is the fourth most popular language behind Java, C and C++. This popularity can be evidenced by the number of large enterprises known to use Python, including the likes of Amazon, Facebook and Google for example.
Amongst the many features of Python is the ability to install modules, or packages, to extend the functionality of your own programs. Once installed, these modules will execute alongside your own code. However, a researcher called 'mschwager' has posted details of a proof of concept file to GitHub called 0wned [https://github.com/mschwager/0wned] which shows how malicious code can be executed when you initially install the package itself.
By manipulating the setup.py file within the Python 'pip' package manager, 0wned was "able to successfully write to the root directory" mschwager says, continuing "this means that 0wned can do anything as the root or administrative user."
When you consider that pip is instrumental when creating docker containers in automated DevOps based cloud-native applications, the risk to the enterprise via public cloud applications becomes apparent. "Most of the larger cloud native applications are based on micro service architectures" Pascal Geenens, Radware EMEA security evangelist explains "and whenever the code behind a micro-service changes, it goes through the whole DevOps chain and testing scenarios and ultimately it will result in an updated container image." For Python based micro services, pip is an integral and required tool for installing the modules the service depends on inside the container. "On each and every change of the python code, the pip install command will be rerun by the composer in the chain to create a fresh container image which will then be used by the container orchestrator to deploy it in dev, test or the production cloud" Geenens warns.
In conversation with SC Media UK, Geenens went on to "urge all developers and administrators to limit module installations, whether this for Python, Node, Go, Julia or whatever your preferred or required language, from a non-privileged user and the application or service to be ultimately run within the context of a non-privileged user." Even then the risk remains, as whatever the environment the service or application runs in, the malicious code installed at setup time will have run-time access to that environment and can steal IP or sensitive customer data. "By using a non-privileged user" Geenens concludes "at least you ascertain yourself that none of the root configuration files and modified or new backdoors or services activated on the systems or containers."
Dan Pitman, senior solutions architect at Alert Logic, adds that a DevOps and Agile culture that drives IT teams to move fast downloading and integrating other people’s modules, "increases the risk of hijacking an enterprise’s deployment and release processes to deploy the attacker’s own processes such as cryptomining malware." Pitman told SC Media that this risk is compounded because the initial attack and foothold "are much less likely to be spotted in a run-once scenario, like an install, and can be infinitely modified by the attacker to change the signature of the deployment."
Of course, this is not something that is isolated to Python; most such package installers support custom scripts and code execution as a feature-by-design to ensure deployment environments are correctly configured. "When you run a package installer with heightened privileges" says Nick Murison, managing consultant at Synopsys, "the installer script essentially has full access to the underlying operating system." But as Johnathan Azaria, security researcher at Imperva, points out "In this case, the malicious package can hide inside a list of requirements which might not even appear in the code" couple that with the popularity of Python and "this vulnerability might pose a larger threat than expected."
In mitigation, Jake Moore, security specialist at ESET, recommends
"installing on a local user and then double checking everything is correct before you proceed to stop threats such as URL hijacking." While we'll leave the final word to Ian Trump, cyber vulnerability and threat hunting lead at Ladbrokes Coral Group, who told SC Media UK that "the amount of panic here is proportional to the amount of installs in your environment; if you don’t know how many installs of Python you have, then you have potentially-most-likely far more things to worry about..."