mirror of
https://github.com/licsber/micropython.git
synced 2024-09-20 09:00:23 +08:00
60cf2c0959
Prior to this commit, pyboard.py used eval() to "parse" file data received
from the board. Using eval() on received data from a device is dangerous,
because a malicious device may inject arbitrary code execution on the PC
that is doing the operation.
Consider the following scenario:
Eve may write a malicious script to Bob's board in his absence. On return
Bob notices that something is wrong with the board, because it doesn't work
as expected anymore. He wants to read out boot.py (or any other file) to
see what is wrong. What he gets is a remote code execution on his PC.
Proof of concept:
Eve:
$ cat boot.py
_print = print
print = lambda *x, **y: _print("os.system('ls /; echo Pwned!')", end="\r\n\x04")
$ ./pyboard.py -f cp boot.py :
cp boot.py :boot.py
Bob:
$ ./pyboard.py -f cp :boot.py /tmp/foo
cp :boot.py /tmp/foo
bin chroot dev home lib32 media opt root sbin sys usr
boot config etc lib lib64 mnt proc run srv tmp var
Pwned!
There's also the possibility that the device is malfunctioning and sends
random and possibly dangerous data back to the PC, to be eval'd.
Fix this problem by using ast.literal_eval() to parse the received bytes,
instead of eval().
Signed-off-by: Michael Buesch <m@bues.ch>
|
||
|---|---|---|
| .. | ||
| .gitattributes | ||
| .gitignore | ||
| bootstrap_upip.sh | ||
| build-stm-latest.sh | ||
| cc1 | ||
| codeformat.py | ||
| codestats.sh | ||
| dfu.py | ||
| file2h.py | ||
| gen-changelog.sh | ||
| gen-cpydiff.py | ||
| gendoc.py | ||
| insert-usb-ids.py | ||
| make-frozen.py | ||
| makemanifest.py | ||
| metrics.py | ||
| mpy_bin2res.py | ||
| mpy_cross_all.py | ||
| mpy_ld.py | ||
| mpy-tool.py | ||
| pyboard.py | ||
| pydfu.py | ||
| tinytest-codegen.py | ||
| uf2conv.py | ||
| uncrustify.cfg | ||
| upip_utarfile.py | ||
| upip.py | ||