New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
msilib.OpenDatabase Type Confusion #68782
Comments
The msilib.OpenDatabase method suffers from a type confusion vulnerability caused by the behavior of MsiOpenDatabase(), the underlying win32 function utilized. This is due to the unorthodox handling of the szPersist parameter: when an MSIDBOPEN_* value is passed, it is treated as a predefined persistence mode. However, when a larger value is passed, it is treated as a string pointer, which is used as the path to a new file. Because the Python method msilib.OpenDatabase passes its persist parameter through to MsiOpenDatabase, it may be possible for an attacker to trigger the type confusion bug should the seemingly innocuous persist parameter be exposed as attack surface. This could have a few consequences:
A Python script that demonstrates the vulnerability is as follows: import msilib
msilib.OpenDatabase("",0x41414141) And it produces the following exception: 0:000> r
FAULTING_IP: EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) CONTEXT: 0000000 -- (.cxr 0x0;r) FAULTING_THREAD: 00000d38 PROCESS_NAME: python.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000 EXCEPTION_PARAMETER2: 41414141 READ_ADDRESS: 41414141 FOLLOWUP_IP: NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: python.exe ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 622e1fa1 to 757252aa STACK_TEXT: STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: msi!CApiConvertString::operator unsigned short const *+1b1d FOLLOWUP_NAME: MachineOwner MODULE_NAME: msi IMAGE_NAME: msi.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5450468f FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_msi.dll!CApiConvertString::operator_unsigned_short_const_* BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_msi!CApiConvertString::operator_unsigned_short_const_*+1b1d ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_fill_pattern_41414141_c0000005_msi.dll!capiconvertstring::operator_unsigned_short_const_* FAILURE_ID_HASH: {11693fba-32c4-0880-2440-574cbd780159} Followup: MachineOwner To fix the issue, msiopendb() should perform whitelist validation of the persist value to confirm that it is a valid MSIDBOPEN_* constant. A proposed patch is attached. |
Attaching repro file. |
Steve, please have a look. |
I'm applying the patch, with one small change to pass through persist rather than assuming the variable exists. It'll be 2.7, 3.5 and default. |
New changeset e524d5dc8767 by Steve Dower in branch '2.7': New changeset fa89e107f43d by Steve Dower in branch '3.5': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: