The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.

The Python developers discovered a flaw in the SimpleXMLRPCServer module. Python XML-RPC servers that used the register_instance() method to register an object, but do not have a _dispatch() method, allowed remote users to access or change function internals using the im_* and func_* attributes.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to Python Security Advisory PSF-2005-001,

The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a
_dispatch() method. Servers using only register_function() are not affected.

On vulnerable XML-RPC servers, a remote attacker may be able to view or modify globals of the module(s) containing the registered instance's class(es), potentially leading to data loss or arbitrary code execution. If the registered object is a module, the danger is particularly serious. For example, if the registered module imports the os module, an attacker could invoke the os.system() function.

Note: This vulnerability affects your system only if you're running SimpleXMLRPCServer-based server. This isn't harmful at all if you don't run any internet server written in Python or your server doesn't serve in XML-RPC protocol.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2005:108 advisory.

    Python is an interpreted, interactive, object-oriented programming language.

    An object traversal bug was found in the Python SimpleXMLRPCServer.  This     bug could allow a remote untrusted user to do unrestricted object traversal     and allow them to access or change function internals using the im_* and     func_* attributes.  The Common Vulnerabilities and Exposures project     (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue.

    Users of Python are advised to upgrade to these updated packages, which     contain backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200502-09 (Python: Arbitrary code execution through SimpleXMLRPCServer)

    Graham Dumpleton discovered that XML-RPC servers making use of the     SimpleXMLRPCServer library that use the register_instance() method to     register an object without a _dispatch() method are vulnerable to a     flaw allowing to read or modify globals of the associated module.
  Impact :

    A remote attacker may be able to exploit the flaw in such XML-RPC     servers to execute arbitrary code on the server host with the rights of     the XML-RPC server.
  Workaround :

    Python users that don't make use of any SimpleXMLRPCServer-based     XML-RPC servers, or making use of servers using only the     register_function() method are not affected.

Updated Python packages that fix a security issue are now available for Red Hat Enterprise Linux 3.

Python is an interpreted, interactive, object-oriented programming language.

An object traversal bug was found in the Python SimpleXMLRPCServer.
This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0089 to this issue.

Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct this issue.

A flaw in the python language was found by the development team. The SimpleXMLRPCServer library module could permit remote attackers unintended access to internals of the registered object or it's module, or possibly even other modules. This only affects python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers that only use the register_function() method are not affected.

The updated packages have been patched to prevent these problems.

The Python development team has discovered a flaw in their language package. The SimpleXMLRPCServer library module could permit remote attackers unintended access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected.

ID	Name	Product	Family	Severity
20694	Ubuntu 4.10 : python2.2, python2.3 vulnerability (USN-73-1)	Nessus	Ubuntu Local Security Checks	high
18972	FreeBSD : python -- SimpleXMLRPCServer.py allows unrestricted traversal (6afa87d3-764b-11d9-b0e7-0000e249a0a2)	Nessus	FreeBSD Local Security Checks	high
17188	RHEL 4 : python (RHSA-2005:108)	Nessus	Red Hat Local Security Checks	critical
16446	GLSA-200502-09 : Python: Arbitrary code execution through SimpleXMLRPCServer	Nessus	Gentoo Local Security Checks	high
16385	RHEL 3 : python (RHSA-2005:109)	Nessus	Red Hat Local Security Checks	high
16378	Mandrake Linux Security Advisory : python (MDKSA-2005:035)	Nessus	Mandriva Local Security Checks	high
16340	Debian DSA-666-1 : python2.2 - design flaw	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2005-0089

critical

Tenable Plugins

high

high

critical

high

high

high

high