Proof of concept exploit for Python Security Consideration
"logging: Logging configuration uses eval()"
eval() is used to evaluate (execute) python expressions which makes it vulnerable to code execution if not used securely.
This is one of those low likelihood vulnerabilities where attacker must be able to modify the module configuration. When application loads malicious configuration, code is executed. Such attack is possible if write-access to configuration files is not restricted properly. Additionally, if an application exposes a socket server with logging.config.listen to listen for new configurations, a local attacker may be able to execute code with privileges of the user that is running the process which calls logging.
UPDATE: Bandit (security linter from PyCQA) accepted my PR for a plugin to audit for insecure usages of logging.config.listen
Read more about how the proof of concept works here.
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.