[New-bugs-announce] [issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[hadimene]

New submission from hadimene <hadimenez at gmail.com>:

Hello !

Recently while debugging my python code I discovered an stack-based Buffer overflow Vulnerability in Python 2.7 and lower versions .
This vulnerability is caused by exec() builtin function when we create "recursive" function using exec() ...

Example :
We want to Print "hello World !" str and we encode print "hello world" ) using chr() or unichr()

print "hello World " 

becomes

exec(chr(112)+chr(114)+chr(105)+chr(110)+chr(116)+chr(40)+chr(39)+chr(104)+chr(101)+chr(108)+chr(108)+chr(111)+chr(32)+chr(119)+chr(111)+chr(114)+chr(108)+chr(100)+chr(32)+chr(33)+chr(32)+chr(39)+chr(41)+chr(10)+chr(35))

and if we re-encode the result : exec() the result would be

exec(chr(101)+chr(120)+chr(101)+chr(99)+chr(40)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(53)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(54)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(51)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(53)+chr(41)+chr(41)+chr(35))

If you do this manipulation 6-7 times and you run the encoded script then the Python Interpreter program will crash with a Segmentation Fault as error :
(https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-191359.png)

We can check the Segmentation Fault using gdb ( GNU Debugger ) https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-202241.png )

To get an Segmentation Fault error you can just run poc.py !

Conclusion

In my opinion , to patch this vulnerability developers need to give more memory/buffer to the exec() arguments , and verify if the buffer can contains exec() arguments in integrality without any overflow !
An attacker could control the memory of an server written in python if the builtin function exec() is used and python version i of the server is 2.7 or lower (every version of python2 could be vulnerable like Python 2.9 but I didn't tried yet )

----------
components: Interpreter Core
files: poc.py
messages: 311561
nosy: hadimene
priority: normal
severity: normal
status: open
title: Python 2.7 : Buffer Overflow vulnerability in exec() function
type: security
versions: Python 2.7
Added file: https://bugs.python.org/file47422/poc.py

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32757>
_______________________________________