Contextual Code Execution in nuitka/nuitka
Jun 4th 2022
main() function uses the
eval() function which can lead to contextual code execution, allowing an attacker to gain access to a system and execute commands with the privileges of the running program by setting
NUITKA_PTH_IMPORTED to a malicious payload string. This can lead to backdoors, reverse shells or reading/writing to privileged files.
One example of a similar vulnerability is CVE-2022-0845 in the popular pytorch-lightning repository. [See References]
Proof of Concept
- Set malicious payload
$ export NUITKA_PYTHONPATH='os.system("touch rickroll")'
- Code gets executed!
$ ls rickroll
This vulnerability is capable of executing code on the target system in the context of the user running the program. This can allow an attacker to gain access to systems, read/write malicious files, etc
A safe for patching the said vulnerability while preserving it's functionality would be to manually parse the environment variable and iterating over it to resolve the value of