Ghost vulnerability
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Tue Feb 3 21:13:58 EST 2015
Anssi Saari wrote:
> Steven D'Aprano <steve+comp.lang.python at pearwood.info> writes:
>
>> Here's the one-liner:
>>
>> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>>
>>
>> I think it is likely that y="0"*50000000 would segfault due to lack of
>> memory on many machines. I wouldn't trust this as a test.
>
> Hmm, how much RAM does that one-liner actually need? My router has 128
> MB total RAM with about 90 MB free. So it can store the string once but
> if it's copied with the gethostbyname call then it'll run out...
In Python 2, "0" is a byte (plus object header), so about 50MB give or take.
In Python 3, "0" is a unicode string, so depending on whether you have a
"narrow" or "wide" build, or version 3.3+, that could take 1, 2 or 4 bytes
per character. So potentially 50, 100 or 200MB (plus a few extra bytes for
the object header).
> Anyways, here's an example calling gethostbyname directly in python:
>
> from ctypes import CDLL
> o = CDLL('libc.so.6')
> for i in range(0, 2500):
> o.gethostbyname('0'*i)
>
> I don't have a vulnerable system to test on any more though.
I stuck a "print i" just before the call to gethostbyname, and it got to i =
1004 and then crashed:
*** glibc detected *** python2.7: realloc(): invalid next size: 0x08b9a7c0
***
with a page or three of diagnostics.
--
Steve
More information about the Python-list
mailing list