Does Python have security issues?

blog + secure coding Z. Oualid todayJune 17, 2021

Background
share close

Python is one of the rising development technologies in the market. Many software development companies start using it for developing web applications.

Like any software development technology, Python may also have multiple security issues that can hurt websites and be the cause of a security breach.

In this blog post, I am going to explain why python can have security issues and what are the common type of vulnerabilities we can find in a python based application. So, if you are interested just keep reading.

Why does python have security issues?

Like any other development technology, Python is based on multiple libraries and open-source plugins. Those libraries and plugins are usually developed by the community, which is the case for almost all the other technologies. However, what is different for python is the fact that it is very open and anyone can develop plugins to perform something special.

Therefore, a newly developed application that uses those plugins and libraries might be vulnerable to the vulnerabilities created by their developers.

In the following part of this article, I am going to present some of the security issues that might be discovered in python based applications or even in python.

What are the most common Python security issues?

Buffer overflow

The buffer overflow vulnerabilities happen when the application fails to verify the length of user input and directly injects it into the memory. This action causes the system to delete some data from the memory without any control which causes the application to crash.

Successful exploitation of this vulnerability, in general, leads to remote code execution. These vulnerabilities are usually discovered in python core libraries developed using C or C++ languages. I am not going to dig deeper into techniques used to exploit these vulnerabilities as this is not the main subject of this article.

However, you should keep in mind that most of the time these vulnerabilities happens in applications and libraries developed using C/C++ languages. The reason behind this is that these two languages count on the developer skills to do the checks which is not the case for the new generation of development apps.

An example of such vulnerability has been published in 2021-01-19 a buffer overflow vulnerability has been discovered in python precisely in PyCArg_repr in _ctypes/callproc.c

DOS

The Deny of service is not actually a vulnerability but a security issue that can happen due to many reasons. However, in most cases, this issue can be the result of a buffer overflow, or an integer overflow, or even due to race condition vulnerabilities in the python core.

This security issue could have some critical impacts on the business revenue as the result of successful exploitation of this issue could lead to stopping the business production environment.

 Here is an example of some DOS security issues discovered lastly in python:

  1. A race condition vulnerability in Python 2.6, 2.7, 3.1, and 3.2 alpha allow a remote attacker to cause a denial of service CVE-2010-3493
  2. In 2010 Multiple vulnerabilities have been detected in audioop.c that allows attackers to cause a deny of service CVE-2010-1634.

Memory corruption

Most overflow vulnerabilities could be considered as a memory corruption vulnerability, as the memory is manipulated at some stages. However, they still there other vulnerabilities that are the result of other development bugs that lead to a memory corruption.

The use-after-free vulnerabilities are one of those security issues, where a memory zone is used by a process after it gets freed by the application without clearing the pointer to that memory zone. Successful exploitation of this vulnerability, in general, leads to remote code execution.

In 2018 a heap-use-after-free vulnerability has been detected in python 2.7.14 version that can be used to violate a trust boundary like the DWF. In 2012 another vulnerability has been detected by security experts in Python 3.1 through 3.3 that allows remote attackers to get sensitive information.

Directory traversal

This vulnerability happens when the application fails to verify the path sent in user input. This weak verification usually leads to some critical information leaks that can be used in more complex attacks.

If you are a penetration tester, this type of vulnerabilities discovered in the software development technologies is not like the ones we found while doing a penetration test on apps. A directory traversal vulnerability in a development technology means that this technology helps attackers to exploit those vulnerabilities if they exist in the tested apps.

For example, in 2019 a vulnerability discovered in python 2.x was giving attackers a way to bypass security mechanisms to exploit the directory traversal in web applications.

Security bypass

In some cases, the software development technology security issue gives the attackers the ability to bypass some security controls like the one mentioned in the directory traversal vulnerabilities. Most of the time this security issue has a big impact on the application.

The reason behind this impact is that peoples who develop secure apps and are very careful about putting in place those controls, usually do that because they have some critical assets to protect. Therefore, having this kind of vulnerability in their apps makes it very difficult for them to protect their users and assets and puts them in face of cyber-attacks without protection.

Here is another example of such a security issue that was discovered last month 2021-05 on python 3.9.5. This vulnerability gives attackers the possibility to bypass the IP source control, which means leaving web applications without protections against this kind of vulnerabilities.

Conclusion

You should know that most of the discussed vulnerabilities in this article, can also be discovered in other more “closed” technologies like ASP.NET and others. However, because of their nature, the discovered vulnerabilities in those closed technologies are fixed as soon as they get discovered.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *