JythonModuleLoader vulnerable to code injection

[calligraf0]

Hi there, I couldn't find a security contact to report this to so I opened an issue. I apologize if this is the wrong place for such kind of reports.

Description

While developing a python plugin for Autopsy to extend it to support a project I am working on (shameless plug: https://github.com/mentat-is/gulp 😛) I stumbled upon an issue that made me dig deeper into the implementation of Autopsy's JythonModuleLoader.

While the code itself was indeed working (sort of) as expected, I noticed that the implementation was prone to injection via the module name and path. I put together a PoC for Windows (it also works on Linux, just change the command to kcalc or something else) to demonstrate the vulnerability:

Quick PoC

Creating a file in the python_modules or InternalPythonModules directory with the following name:

os;os.system('calc.exe').py

This will result in the calculator app popping up when modules are loaded at startup or when listed (e.g. via the Generate Report dialog).

Risks

As the execution of arbitrary code would of course still happen with a malicious module, this particular issue allows an attacker to reuse an existing module, by renaming it, to perform malicious actions leaving its signature/hash untouched. This would essentially result in arbitrary code execution bypassing simple signature-based detection methods.

Given the requirements for this to be exploited are quite high, I'd not consider this to be a huge security risk, but still worthy of notice.

Also, Java isn't my primary language, but I am working on a patch and will provide a PR for review soon.