PolyWolf on Security

An Interesting Python Sandbox Escape

Posted on 2022-05-15: https://pwn.win/2022/05/11/python-buffered-reader.html

The title says “code execution”, but you need your Python code to already be running in order to trigger this, so I’d rather classify it as a sandbox escape since just by manipulating built-in CPython objects you can do buffer overflows and get the address of system and ROP ur way to success, without importing any new modules.

I think the only way to block this exploit is to completely never load the io module, which severely limits a lot of Python code…

Full exploit code here