Escaping a Python sandbox

[Steven D'Aprano]

An example of how to hack your way out of a Python sandbox:

Now that we can build any function we want, what can we do? We can’t
directly access the non restricted builtins: the functions we craft are
still executed in the restricted environment. We can get a non sandboxed
function to call us: the auth function call the __len__ method of the
object that we pass as a parameter. This is however not enough to get
out of the sandbox: our globals are still the same and we can’t for
example import a module. I tried to look at all the classes we could
access via the __subclasses__ trick to see if we could get a reference
to a useful module through there, but no dice. Even getting Twisted to
call one of our crafted functions via the reactor was not enough. We
could try to get a traceback object and use it to browse the stack
frames of our callers, but the only trivial ways to get a traceback
object are via the inspect or the sys modules which we can’t import.
After being blocked on that problem, I went to work on other problems,
slept a lot, and woke up to the solution I needed!




http://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/