Should an XKCD easter egg that introduces a vulnerability in CPython be removed from core distro?

[fproulx-boostsecurity]

An XKCD comic easter egg was added to CPython back in 2008 (https://github.com/python/cpython/blob/main/Lib/antigravity.py)

This enables a Living Off The Pipeline technique (https://boostsecurityio.github.io/lotp/tool/python). I question the fact that this joke remains in core distro.

[rhettinger]

ISTM that the referenced article is not specific to antigravity but applies generally to webbrowser module. So this issue is overspecific.

This "vulnerability" presumes an attacker has the ability to write to environment variables (i.e. the system is already compromised prior to invoking webbrowser).

In the case of the antigravity module, it is normally invoked interactively where the user already has board system access. It isn't something you see in production code.

Overall, I don't assess that there is a real issue here, but will leave it to our security experts to opine for themselves.

[skirpichev]

ISTM that the referenced article is not specific to antigravity but applies generally to webbrowser module.

The difference is that with import webbrowser - nothing happened. While antigravity module "by design" (IIUIC) runs webbrowser.open("https://xkcd.com/353/") on import antigravity or from antigravity import *.

We could e.g. change this to run code just on python -m antigravity. But this is no fun anymore.

This "vulnerability" presumes an attacker has the ability to write to environment variables

I agree. BROWSER="/bin/bash" already looks suspicious for me :-)

@fproulx-boostsecurity, could you provide some scenario to exploit this "vulnerability"?

[vstinner]

If I understand well, the attack can run arbitrary Python commands and set environment variables. In this case, why running antigravity, whereas you can just run arbitrary Python commands?

I don't think that antigravity makes Python vulnerable. The problem here is the attacker can already do arbitrary things with Python and the environment.

[fproulx-boostsecurity]

@skirpichev this is something my team has documented as part of our Living Off The Pipeline (LOTP) open source knowledge base. Very similar to LOLBAS / GTFObins, but applied in the context of vulnerable Build Pipeline exploitation. The most common scenario we see is a GitHub Actions workflow on a public repo using pull_request_target.

You are absolutely correct that this specific variant of LOTP (there are many more we've documented) could be thought as a second-order RCE consider attacker needs to have the ability to mess with environment variables. But we've seen plenty of real world GitHub Actions workflows on important open source projects that will set environment variables based on user data, etc.

My point with opening the issue was that import antigravity is built it to core Python and unlike all other modules this is an anomaly that it executes code by merely importing the module.

In fact I documented it based on this 2020 article (https://www.elttam.com/blog/env/) where they did a Red Team assignment and used this Python gadget as post-exploitation technique.