GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mschwager → 0wned

mschwager / 0wned

Licence: gpl-3.0
Code execution via Python package installation.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitypip

Projects that are alternatives of or similar to 0wned

Socket.io Python Emitter
Python implementation of socket.io-emitter
Stars: ✭ 67 (-54.73%)
Mutual labels:  pip
Mtcnn
MTCNN face detection implementation for TensorFlow, as a PIP package.
Stars: ✭ 1,689 (+1041.22%)
Mutual labels:  pip
Pipenvlib
A library for manipulating Pipenv projects.
Stars: ✭ 132 (-10.81%)
Mutual labels:  pip
Micropipenv
A lightweight wrapper for pip to support requirements.txt, Pipenv and Poetry lock files or converting them to pip-tools compatible output. Designed for containerized Python applications but not limited to them.
Stars: ✭ 72 (-51.35%)
Mutual labels:  pip
Niftynet
[unmaintained] An open-source convolutional neural networks platform for research in medical image analysis and image-guided therapy
Stars: ✭ 1,276 (+762.16%)
Mutual labels:  pip
Poetry Pycharm Plugin
A PyCharm plugin for poetry
Stars: ✭ 113 (-23.65%)
Mutual labels:  pip
Rules python external
Bazel rules to resolve and fetch artifacts transitively from the Python Package Index (PyPI)
Stars: ✭ 60 (-59.46%)
Mutual labels:  pip
Pipkit
Picture in Picture for iOS
Stars: ✭ 140 (-5.41%)
Mutual labels:  pip
Pipcontainer
An easy to use interface for picture-in-picture on macOS 10.12 and later
Stars: ✭ 109 (-26.35%)
Mutual labels:  pip
Pipcorn
🍿 Watch YouTube videos on your Mac via CLI
Stars: ✭ 128 (-13.51%)
Mutual labels:  pip
Zazo
Pure Python Dependency Resolution
Stars: ✭ 80 (-45.95%)
Mutual labels:  pip
Django Currentuser
Conveniently store reference to request user on thread/db level.
Stars: ✭ 83 (-43.92%)
Mutual labels:  pip
Coronavirus Tracker Api
🦠 A simple and fast (< 200ms) API for tracking the global coronavirus (COVID-19, SARS-CoV-2) outbreak. It's written in python using the 🔥 FastAPI framework. Supports multiple sources!
Stars: ✭ 1,577 (+965.54%)
Mutual labels:  pip
Django Webpacker
A django compressor tool that bundles css, js files to a single css, js file with webpack and updates your html files with respective css, js file path.
Stars: ✭ 69 (-53.38%)
Mutual labels:  pip
Pip Check
pip-check gives you a quick overview of all installed packages and their update status.
Stars: ✭ 134 (-9.46%)
Mutual labels:  pip
Hermetica
📖Hermetica is scaffold tools, and wiki to implement better flask applications.
Stars: ✭ 66 (-55.41%)
Mutual labels:  pip
Pip Licenses
Dump the license list of packages installed with pip.
Stars: ✭ 110 (-25.68%)
Mutual labels:  pip
Pipdeptree
A command line utility to display dependency tree of the installed Python packages
Stars: ✭ 1,898 (+1182.43%)
Mutual labels:  pip
Dephell
📦 🔥 Python project management. Manage packages: convert between formats, lock, install, resolve, isolate, test, build graph, show outdated, audit. Manage venvs, build package, bump version.
Stars: ✭ 1,730 (+1068.92%)
Mutual labels:  pip
Serverpilot Letsencrypt
Automate the installation of Let's Encrypt SSL on the free plan of ServerPilot
Stars: ✭ 129 (-12.84%)
Mutual labels:  pip
View All Similar Projects ➔

0wned

Build Status Build Status

Python packages allow for arbitrary code execution at run time as well as install time. Code execution at run time makes sense because, well, that's what code does. But executing code at install time is a lesser known feature within the Python packaging ecosystem, and a potentially much more dangerous one.

To test it out let's download this repository:

$ git clone https://github.com/mschwager/0wned.git

Don't worry, there's nothing malicious going on, you can take a look at what's happening yourself.

Now let's install the package:

$ sudo python -m pip install 0wned/
$ cat /0wned
Created '/0wned' with user 'root' at 1536011622

During pip installation 0wned was able to successfully write to the root directory! This means that 0wned can do anything as the root or administrative user.

We can reduce the impact of this issue by installing packages with the --user flag:

$ python -m pip install --user 0wned/
$ cat ~/0wned
Created '/home/tempuser/0wned' with user 'tempuser' at 1536011624

Prevention

You should always be wary of Python packages you're installing on your system, especially when using root/administrative privileges. There are a few ways to help mitigate these types of attacks:

  • Install only binary distribution Python wheels using the --only-binary :all: flag. This avoids arbitrary code execution on installation (avoids setup.py).
  • As mentioned above, install packages with the local user using the --user flag.
  • Install packages in hash-checking mode using the --require-hashes flag. This will protect against remote tampering and ensure you're getting the package you intend to.
  • Double check that you've spelled the package name correctly. There may be malicious packages typosquatting under a similar name.

Details of the Attack

You can hook almost any pip command by extending the correct setuptools module.

For example, 0wned takes advantage of the install class to do its thing:

from setuptools import setup
from setuptools.command.install import install

class PostInstallCommand(install):
    def run(self):
        # Insert code here
        install.run(self)

setup(
    ...
    cmdclass={
        'install': PostInstallCommand,
    },
    ...
)

And when pip install is run our custom PostInstallCommand class will be invoked.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].