Published a workaround for Python code execution systems based on a long-known bug that appeared in Python 2.7, was identified in 2012 and has not yet been fixed in Python 3. The bug allows using specially linked Python code to initiate a call to already freed memory (Use-After-Free) in Python. Initially, it was assumed that the error does not pose a security threat and only in very rare cases, usually artificially created, can lead to an abnormal termination of the script.
A security researcher under the pseudonym kn32 became interested in the problem and managed to prepare a working exploit that makes it possible to call any system command without having direct access to methods like os.system. The exploit is implemented in pure Python and works without importing external libraries and without installing the "code.__new__" handler. Of the hooks, only "builtin.__id__" is used, which is usually not prohibited. On the practical side, the proposed code can be used to bypass isolation mechanisms in various services and environments (for example, in learning environments, online shells, built-in handlers, etc.) that allow execution of Python code, but limit available calls and do not allow access methods such as os.system.
The proposed code is an analogue of the os.system call, which works through the exploitation of a vulnerability in CPython. The exploit works with all versions of Python 3 on x86-64 systems and is stable on Ubuntu 22.04 even with PIE, RELRO and CET security modes enabled. The work is reduced to obtaining from the Python code information about the address of one of the functions in the executable CPython code. Based on this address, the base address of CPython in memory and the address of the system() function in the loaded instance of libc are calculated. At the end, a direct jump to a certain system address is initiated with the substitution of the first argument pointer to the string "/bin/sh".
Source: opennet.ru