At Avi Networks, scalability, security, automation, and self-service are part of our core objectives to develop a world-class product that stands up to the requirements of the most demanding production environments. As with any service exposed to the Internet, network attacks exploiting vulnerabilities can put proxied assets at an enormous risk. Such risks include but are not limited to the attacker taking full control of the victim network, accessing intellectual property, taking over resident hosts as zombies Distributed Denial of Service (DDoS) attacks, and more.
Avi Vantage is architected from the ground up with security in mind. As an example, we are constantly looking at ways to limit exploitation possibilities arising out of vulnerable Python library calls. The risks are created when invoking system commands by the shell using the Python module
The use of shell to exploit systems is well-documented. Below we present our contribution through a Python module which helps invoke relatively complex multi-piped commands using subprocess'
Popen() without passing the argument
From the code above, we see that the function
exec_cmd() recursively reads the output from the current process, and writes it to the input file descriptor of the next process. Failure in any of the called processes results in the function generating an
CalledProcessError exception, similar to as subprocess'
check_output() would generate.
Let's take an example which uses the class
PyExecCmd. We assume having a file named
file2.txt in the current working directory and we want to display the contents of the file.
On the Linux terminal:
The following is an excerpt from the Python terminal:
PyExecCmd can now be used to invoke complex piped commands without ever invoking the shell.
Tweet me @sandeepvaday or comment here if you have similar suggestions or questions!