A security researcher found a serious prototype pollution vulnerability in Python programming language. Exploiting the flaw results in app crashes, potentially allowing other impacts too.
Prototype Pollution Variant Found In Python
An independent security researcher, Abdulraheem Khaled, recently shared details about a prototype pollution vulnerability affecting Python.
However, Khaled elaborated on how he could observe prototype pollution variants in Python, where the flaw typically exists in polluting the modifiable attribute “
_class_” in objects.
As stated in his post,
From an attacker’s perspective, we are interested more in attributes that we can override/overwrite to be able to exploit this vulnerability rather than the magic methods. As our input will always be treated as data (str, int, etc..) and not actual code to be evaluated. Therefore, if we try to overwrite any of the magic methods, it will lead to crashing the application when trying to invoke that method, as data such as strings can’t be executed.
Briefly, to demonstrate the flaw that he called “class pollution,” the researcher created an instance of
Employee class – an empty class and then attempted to pollute it in a way to pollute the parent class as well. For this, he set the
__qualname__ attribute inside
__class__ to a string and then polluted the
__base__ attribute. Eventually, it allowed him to pollute the parent
Employee class. That’s how an adversary may pollute any parent class.
The researcher explained that Python applies some restrictions on modifying the
object class attributes – the parent class of all classes. Therefore, an attacker must proceed accordingly, exploiting the unsafe merge functions, to achieve class pollution in Python.
For now, the researcher confirmed having found no full exploit with an impact other than DoS. Nonetheless, he believes that an adversary may leverage the flaw to achieve various other results, such as overwriting the secret key in the Flask web app for signing sessions, or path hijacking.
Let us know your thoughts in the comments.