Security researcher discovered a dangerous prototype pollution vulnerability in Python programming language. The flaw can lead to app crashes and other adverse effects.
Python has a prototype pollution variant
Abdulraheem Khaled (an independent security researcher) recently revealed details on a proto-pollution vulnerability that affects Python.
Prototype contamination allows attackers to interfere with the existing prototypes. To compromise the application, an attacker could inject values into the base object prototype (“polluting”) to cause disruptions in other objects. These exploits could lead to a variety of impacts including remote code execution and denial-of-service.
Khaled explained how he pollution variants in Python. This flaw is typically found in polluting objects.
According to his blog post:
An attacker will be more interested in the attributes we can modify/overwrite in order to exploit the vulnerability. Because our input is always treated as data, (str. int., etc..), and not code, it will be evaluated. If we attempt to modify any magic method it will cause the application to crash when it tries to invoke the method. Strings, for example, can’t be executed.
To illustrate the flaw he calls “class pollution”, the researcher created an instance
Employee class. The empty class was then polluted in the same way as the parent class. To do this, the
__qualname__ attitute within
_class__ was set to a string. Then, the
_base__ attributes were polluted. It eventually allowed him to pollute
employee. This is how an enemy may affect any parent class.
The that Python has some limitations on the
object classes attributes. This is the parent class for all other classes. An attacker will exploit the unreliable merge functions to cause class pollution in Python.
The Next Step
The researcher has confirmed that he had not found any exploits with other impacts than DoS. He believes an adversary could use the flaw for other purposes, including overwriting Flask’s secret key to sign sessions or path hijacking.
We would love to hear your comments.