The Sage Notebook

I was working on a penetration test recently where the allowable attack vectors were networks and applications. Like most other penetration tests of this type, I started creating an inventory of the attack surface of my target. After putting together the inventory of the applications running on the target’s servers I came across an application that I had never really seen before called The Sage Notebook. A quick Google search showed that this was an application created to allow for people to write code using Sage and Python for studying mathematics.

Two things interested me right away about this application. The first was that I was able to register my own user account and access the application. The second was that I might have potential code execution on the server itself being able to run any Python code.

So I created a user account which allows me to access the application right away. I walk through the application a bit and find out that I need to create a worksheet to be able to write my own code. I type some Python code into the box provided and press the “evaluate” button, sure enough:

Well… That was simple enough… But maybe print is allowed, let’s try some other stuff.

At this point we can already go ahead say this is going to be our entry point into this server as we have operating system command execution. After poking around a bit on the server, this made the pentest go from good to great:

Go ahead and take a look at that for a second… See the problem? Why on earth would anyone set /etc/shadow as world readable?! Sure enough:

At this point I got tired of typing commands into os.system() and decide it would be easier just to spawn a reverse shell back to myself, so I use my preferred Linux reverse shell:

Running the shadow file through John the Ripper I found that most of the accounts on the box were using weak passwords, and in some cases password was the same as the username.

Recommendations

There are a couple “lessons learned” that should be taken out of this exercise:Do not allow for untrusted users to create accounts for themselves on your application. If necessary, moderate user creation so some random person on the Internet cannot just login.

1. Do not allow for untrusted users to create accounts for themselves on your application. If necessary, moderate user creation so some random person on the Internet cannot just login.
2. This application should have sandbox restrictions and should not allow for anyone to run their own code… for obvious reasons.
3. Permissions are extremely important, especially in multi-user environments, and should be checked frequently.