CVE-2005-1632

Vulnerability

Cheetah versions 0.9.15 and 0.9.16 have a module search order flaw. When importing modules, Cheetah checks the /tmp directory before the paths specified in the PYTHONPATH environment variable. This allows a local attacker to place a malicious Python module in /tmp that will be loaded instead of the intended module. The issue was reported in a mailing list discussion [1] and confirmed in the NVD entry [2].

Exploitation

An attacker with local access to the system can create a malicious .py or .pyc file in /tmp with the same name as a module that a Cheetah-based application imports. When the application runs and Cheetah attempts to import that module, it will load the attacker's module from /tmp instead of the legitimate module from PYTHONPATH. No special privileges are required beyond the ability to write to /tmp. The attacker does not need to modify the application's code or configuration.

Impact

Successful exploitation allows the attacker to execute arbitrary Python code with the privileges of the user running the Cheetah application. This can lead to full compromise of the application's data and functionality, including potential privilege escalation if the application runs with elevated permissions. The impact is limited to local users, but on multi-user systems it poses a significant risk.

Mitigation

The vulnerability exists in Cheetah 0.9.15 and 0.9.16. According to the mailing list discussion [1], the issue was acknowledged and a fix was likely applied in subsequent releases. Users should upgrade to a version newer than 0.9.16. As of the publication date (2005-05-17), no specific patch version is mentioned in the references. A workaround is to ensure that /tmp is not writable by untrusted users or to configure the system to restrict module loading from world-writable directories. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.