An Interesting Python Sandbox Escape
Posted on 2022-05-15: https://pwn.win/2022/05/11/python-buffered-reader.html
The title says “code execution”, but you need your Python code to already be
running in order to trigger this, so I’d rather classify it as a sandbox escape
since just by manipulating built-in CPython objects you can do buffer overflows
and get the address of system
and ROP ur way to success, without importing
any new modules.
I think the only way to block this exploit is to completely never load the io
module, which severely limits a lot of Python code…
Full exploit code here