Privilege Escalation via Python Library Hijacking (Conceptual Overview)
Python library hijacking occurs when privileged Python scripts import modules from directories writable by unprivileged users.
π What is Python Library Hijacking?
Python searches for modules in sys.path. If a writable directory appears early in the path, attackers can place malicious modules there.
π§ How Library Hijacking Happens (High-Level)
- β Root-owned Python script imports a module
- β Module search path includes writable directory
- β Attacker creates malicious module
- β Script executes malicious code as root
π₯ Why Library Hijacking Is Dangerous
- β Bypasses file permissions
- β Difficult to detect
- β Common in custom scripts
π Real-World Example (Defensive View)
A backup script runs as root and imports a custom module from a directory writable by developers. A developer replaces the module.
π Detecting Library Hijacking Risks
- β Check Python scripts for relative imports
- β Review sys.path for writable directories
- β Monitor module modifications
π‘οΈ Preventing Library Hijacking
- β Use absolute imports
- β Set secure PYTHONPATH
- β Install modules system-wide
- β Use virtual environments
π§Ύ Key Takeaways
- β Python path must be secure
- β Audit privileged scripts
- β Monitor module integrity
π Python β Command Awareness
Common commands observed during audits when checking Python paths. Shown for defensive awareness only.
π Python Path Discovery
-
View Python sys.path
Why used: Identify module search path.python3 -c "import sys; print(sys.path)"
π‘οΈ Defender Takeaways
- β Audit Python paths
- β Remove writable directories
- β Use secure import practices
