{"id":13843465,"url":"https://github.com/mschwager/0wned","last_synced_at":"2025-04-10T23:30:41.200Z","repository":{"id":60576387,"uuid":"147256036","full_name":"mschwager/0wned","owner":"mschwager","description":"Code execution via Python package installation.","archived":false,"fork":false,"pushed_at":"2018-11-28T17:17:07.000Z","size":22,"stargazers_count":168,"open_issues_count":0,"forks_count":35,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-08-05T17:37:39.248Z","etag":null,"topics":["code-execution","package-installation","pip","python","python-package","remote-code-execution","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mschwager.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-03T21:38:30.000Z","updated_at":"2024-07-28T01:18:03.000Z","dependencies_parsed_at":"2022-10-01T16:10:19.419Z","dependency_job_id":null,"html_url":"https://github.com/mschwager/0wned","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2F0wned","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2F0wned/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2F0wned/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2F0wned/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mschwager","download_url":"https://codeload.github.com/mschwager/0wned/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223449748,"owners_count":17146984,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-execution","package-installation","pip","python","python-package","remote-code-execution","security"],"created_at":"2024-08-04T17:02:09.490Z","updated_at":"2024-11-07T03:14:02.244Z","avatar_url":"https://github.com/mschwager.png","language":"Python","funding_links":[],"categories":["Python (1887)","Python"],"sub_categories":[],"readme":"# 0wned\n\n[![Build Status](https://travis-ci.org/mschwager/0wned.svg?branch=master)](https://travis-ci.org/mschwager/0wned)\n[![Build Status](https://ci.appveyor.com/api/projects/status/github/mschwager/0wned?branch=master\u0026svg=true)](https://ci.appveyor.com/project/mschwager/0wned/branch/master)\n\nPython packages allow for [arbitrary code execution](https://en.wikipedia.org/wiki/Arbitrary_code_execution)\nat **run time** as well as **install time**. Code execution at **run time** makes\nsense because, well, that's what code does. But executing code at **install time**\nis a lesser known feature within the Python packaging ecosystem, and a\npotentially much more dangerous one.\n\nTo test it out let's download this repository:\n\n```\n$ git clone https://github.com/mschwager/0wned.git\n```\n\n*Don't worry, there's nothing malicious going on, you can [take a look at what's happening yourself](https://github.com/mschwager/0wned/blob/master/setup.py).*\n\nNow let's install the package:\n\n```\n$ sudo python -m pip install 0wned/\n$ cat /0wned\nCreated '/0wned' with user 'root' at 1536011622\n```\n\n**During `pip` installation `0wned` was able to successfully write to the root\ndirectory! This means that `0wned` can do anything as the root or administrative\nuser.**\n\nWe can reduce the impact of this issue by installing packages with the `--user` flag:\n\n```\n$ python -m pip install --user 0wned/\n$ cat ~/0wned\nCreated '/home/tempuser/0wned' with user 'tempuser' at 1536011624\n```\n\n# Prevention\n\nYou should always be wary of Python packages you're installing on your system,\nespecially when using root/administrative privileges. There are a few ways to help\nmitigate these types of attacks:\n\n* Install only [binary distribution Python wheels](https://pythonwheels.com/) using the `--only-binary :all:` flag. This avoids arbitrary code execution on installation (avoids `setup.py`).\n* As mentioned above, install packages [with the local user](https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site) using the `--user` flag.\n* Install packages in [hash-checking mode](https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode) using the `--require-hashes` flag. This will protect against remote tampering and ensure you're getting the package you intend to.\n* Double check that you've spelled the package name correctly. There may be malicious packages [typosquatting](https://en.wikipedia.org/wiki/Typosquatting) under a similar name.\n\n# Details of the Attack\n\nYou can hook almost any `pip` command by extending the correct `setuptools` module.\n\nFor example, `0wned` takes advantage of the `install` class to do its thing:\n\n```python\nfrom setuptools import setup\nfrom setuptools.command.install import install\n\nclass PostInstallCommand(install):\n    def run(self):\n        # Insert code here\n        install.run(self)\n\nsetup(\n    ...\n    cmdclass={\n        'install': PostInstallCommand,\n    },\n    ...\n)\n```\n\nAnd when `pip install` is run our custom `PostInstallCommand` class will be invoked.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmschwager%2F0wned","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmschwager%2F0wned","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmschwager%2F0wned/lists"}