eset/ipyida

Process hijacking in jupyter_client

moradek opened this issue · 1 comments

This problem is not related to the code of this project, but it is critical for this project.
In script localinterface.py of module jupyter_client, there is the code, that start ipconfig on Windows systems:

def _load_ips_ipconfig():
    """load ip addresses from `ipconfig` output (Windows)"""
    out = _get_output('ipconfig')
    
    lines = out.splitlines()
    addrs = []
    for line in lines:
        m = _ipconfig_ipv4_pat.match(line.strip())
        if m:
            addrs.append(m.group(1))
    _populate_from_list(addrs)

Definition of _get_output:

def _get_output(cmd):
    """Get output of a command, raising IOError if it fails"""
    startupinfo = None
    if os.name == 'nt':
        startupinfo = subprocess.STARTUPINFO()
        startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW
    p = Popen(cmd, stdout=PIPE, stderr=PIPE, startupinfo=startupinfo)
    stdout, stderr = p.communicate()
    if p.returncode:
        raise IOError("Failed to run %s: %s" % (cmd, stderr.decode('utf8', 'replace')))
    return stdout.decode('utf8', 'replace')

In fact this code start ipconfig with relative path.
So if IDA try to analyze file C:\Test\notepad.exe.i64, module jupyter_client will start C:\Test\ipconfig.exe:

hijacking

This is an upstream bug in Jupyter. Did you report it to them?