CVE-2020-5252: Malicious package may avoid detection in python auditing
(updated )
Python Auditing Vulnerability
Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.
Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.
Usage
Install safety
, insecure-package
, and this package with pip in the same python environment. Order doesn't matter.
- pip install safety
- pip install insecure-package
- pip install dist/malicious-0.1-py3-none-any.whl
Run the check
safety check
You should see both Running my modified safety.check
and that insecure-package
is not listed in the results!
How it Works
Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.
- When you install this package, the
setup.py
settings installs amalicious.pth
file to yoursite-packages
directory. - The
malicious.pth
file gets loaded anytime Python starts, which in turn imports ourmalicious
package. - The
malicious/__init__.py
patches the safety library with a custom function to avoid detection.
References
- github.com/advisories/GHSA-7q25-qrjw-6fg2
- github.com/akoumjian/python-safety-vuln
- github.com/pypa/advisory-database/tree/main/vulns/safety/PYSEC-2020-101.yaml
- github.com/pyupio/safety
- github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2
- mulch.dev/blog/CVE-2020-5252-python-safety-vuln
- nvd.nist.gov/vuln/detail/CVE-2020-5252
- pyup.io/posts/patched-vulnerability
Detect and mitigate CVE-2020-5252 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →