Open CodeForcer opened 4 years ago
nice thought. what about os
subprocess
etc?
what about
os
subprocess
etc?
Indeed. Without exec
/eval
, you can still download code, save it to a file, and run it with os
/subprocess
.
import subprocess
proc = subprocess.Popen(["python3", "~/scripts/test.py"], stdout=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()
Note: same scammers as in https://github.com/spesmilo/electrum/issues/5668
Related: https://github.com/spesmilo/electrum/issues/3678 see in particular https://github.com/spesmilo/electrum/issues/3678#issuecomment-356341594 It was because of that issue the social engineering warning has been added (https://github.com/spesmilo/electrum/pull/3700)
proc = subprocess.Popen(["python3", "~/scripts/test.py"], stdout=subprocess.PIPE, shell=True)
in this one does the needs to have python installed right?
in this one does the needs to have python installed right?
Yes, although they could just run some commands to figure out the OS / CPU architecture, and download+run precompiled binaries.
this is basically a reiteration of the issue i reported which got assigned CVE-2018-6353, nice try tho. https://github.com/spesmilo/electrum/issues/3678
Recently a user on Reddit reported that a Bitcoin mixing service asked them to run a suspicious command inside their Electrum shell. I investigated the command and discovered it was a wallet stealing malware: https://github.com/CodeForcer/bitmixer-scam-analysis
I would like to propose that Electrum disable the use of
exec()
andeval()
in the shell. This wont eliminate these kinds of attacks but will make them slightly more difficult.