I am wondering what attacks would be theoretically possible against a Python script that executes a subprocess involving sudo. I know that asking for the sudo password using input() or getpass(), then passing it to the subprocess's stdin could be exploited since the password string would enter the Python script's memory. I also know about injection attacks, but let's consider a non-parameterized example like sudo whoami.
But what about the following, where the Python script and the subprocess share the stdin file handle:
p = subprocess.Popen("sudo whoami", shell=True, text=True) stdout, stderr = p.communicate() In this case the stdin of the Python process is passed to the child, and sudo would read the password from it directly. Is there a way to grab the password - assuming the attacker has some access to the Python process's memory?
Attack scenarios:
- The attacker has compromised the target user through some other process, gained shell access, but does not know their sudo password. Then the target logs in and executes this Python script. Can the attacker fish the password out?
- Let's say that the script is a long running interactive app, like a custom command interpreter (similar to meterpreter). There is some vulnerability in another part of the script, like an unsafe
eval(), which the attacker can control. What should the attacker do to get the password?
