Message 313119 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	davisjam
Recipients	davisjam
Date	2018-03-02.00:36:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1519950979.87.0.467229070634.issue32981@psf.upfronthosting.co.za>
In-reply-to

Content
Hi Python security team, My name is James Davis. I'm a security researcher at Virginia Tech. The python core (cpython) has 2 regular expressions vulnerable to catastrophic backtracking that look like potential DOS vectors. The vulnerable expressions are listed below. Each vulnerability has the following keys, explained in more detail below: - pattern - filesIn (as of December/January; I excluded any appearances in irrelevant-looking dirs, and in '.min' files) - stringLenFor10Sec - nPumpsFor10Sec - attackFormat - blowupCurve The attack format describes how to generate an attack string. On my machine, an attack string generated using nPumpsFor10Sec repetitions ("pumps") of the pump string(s) blocks the python regex engine for 10 seconds, though this will vary based on your hardware. Compose an attack string like this: 'prefix 1' + 'pump 1' X times + 'prefix 2' + 'pump 2' X times + ... + suffix Example: With pumpPairs: [{'prefix': 'a', 'pump': 'b'}], suffix: 'c', an attack string with three pumps would be: abbbc Catastrophic backtracking blows up at either an exponential rate or a super-linear (power law) rate. The blowupCurve indicates how severe the blow-up is. The 'type' is either EXP(onential) or POW(er law) in the number of pumps (x). The 'parms' are the parameters for the two curve types. The second parameter is more important, because: EXP: f(x) = parms[0] * parms[1]^x POW: f(x) = parms[0] * x^parms[1] JSON formatted: Vuln 1: { "attackFormat" : { "pumpPairs" : [ { "pump" : "<a", "prefix" : "+OKa" } ], "suffix" : "+" }, "blowupCurve" : { "parms" : [ 2.71096268836868e-08, 1.83422078906374 ], "type" : "POWER", "r2" : 0.997503282766243 }, "stringLenFor10Sec" : 96655, "nPumpsFor10Sec" : "48325", "pattern" : "\\+OK.(<[^>]+>)", "filesIn" : [ [ "Lib/poplib.py" ] ] } Vuln 2: { "blowupCurve" : { "parms" : [ 1.31911634447601e-08, 1.89691808610459 ], "r2" : 0.998387790742004, "type" : "POWER" }, "stringLenFor10Sec" : 48328, "attackFormat" : { "pumpPairs" : [ { "pump" : "\t", "prefix" : "\t" } ], "suffix" : "##" }, "pattern" : "\\s#?\\s*$", "filesIn" : [ [ "Lib/difflib.py" ] ], "nPumpsFor10Sec" : "48325" }

Hi Python security team,

My name is James Davis. I'm a security researcher at Virginia Tech.

The python core (cpython) has 2 regular expressions vulnerable to catastrophic backtracking that look like potential DOS vectors.
The vulnerable expressions are listed below.

Each vulnerability has the following keys, explained in more detail below:
 - pattern
 - filesIn (as of December/January; I excluded any appearances in irrelevant-looking dirs, and in '.min' files)
 - stringLenFor10Sec
 - nPumpsFor10Sec
 - attackFormat
 - blowupCurve

The attack format describes how to generate an attack string.
On my machine, an attack string generated using nPumpsFor10Sec repetitions ("pumps") of the pump string(s)
blocks the python regex engine for 10 seconds, though this will vary based on your hardware.

Compose an attack string like this:
  'prefix 1' + 'pump 1' X times + 'prefix 2' + 'pump 2' X times + ... + suffix
Example:
  With pumpPairs: [{'prefix': 'a', 'pump': 'b'}], suffix: 'c', an attack string with three pumps would be:
    abbbc

Catastrophic backtracking blows up at either an exponential rate or a super-linear (power law) rate.
The blowupCurve indicates how severe the blow-up is.
The 'type' is either EXP(onential) or POW(er law) in the number of pumps (x).
The 'parms' are the parameters for the two curve types. The second parameter is more important, because:
  EXP: f(x) = parms[0] * parms[1]^x
  POW: f(x) = parms[0] * x^parms[1]

JSON formatted:

Vuln 1:

{
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "<a",
            "prefix" : "+OKa"
         }
      ],
      "suffix" : "+"
   },
   "blowupCurve" : {
      "parms" : [
         2.71096268836868e-08,
         1.83422078906374
      ],
      "type" : "POWER",
      "r2" : 0.997503282766243
   },
   "stringLenFor10Sec" : 96655,
   "nPumpsFor10Sec" : "48325",
   "pattern" : "\\+OK.*(<[^>]+>)",
   "filesIn" : [
      [
         "Lib/poplib.py"
      ]
   ]
}

Vuln 2:

{
   "blowupCurve" : {
      "parms" : [
         1.31911634447601e-08,
         1.89691808610459
      ],
      "r2" : 0.998387790742004,
      "type" : "POWER"
   },
   "stringLenFor10Sec" : 48328,
   "attackFormat" : {
      "pumpPairs" : [
         {
            "pump" : "\t",
            "prefix" : "\t"
         }
      ],
      "suffix" : "##"
   },
   "pattern" : "\\s*#?\\s*$",
   "filesIn" : [
      [
         "Lib/difflib.py"
      ]
   ],
   "nPumpsFor10Sec" : "48325"
}

History
Date	User	Action	Args
2018-03-02 00:36:19	davisjam	set	recipients: + davisjam
2018-03-02 00:36:19	davisjam	set	messageid: <1519950979.87.0.467229070634.issue32981@psf.upfronthosting.co.za>
2018-03-02 00:36:19	davisjam	link	issue32981 messages
2018-03-02 00:36:19	davisjam	create