Vulnerability Development mailing list archives
Re: Buffer overflow in Python code
From: "Ryan Permeh" <ryan () eEye com>
Date: Mon, 26 Nov 2001 10:45:20 -0800
yes and no, we released a sort of similar bug in asp, where feilds were overflowable. using unicode, we were able to upload a asp script and cause an overflow that executed in system privs (unicode was not system). I know there are python ports to win32, so this could apply there too. you need to be able to get a script there in the first place, but then you may be able to do more, perhaps at a higher context than what you need to upload a script. This may also be applicible to any type of embedded python system, perhaps used by a suid program. I know perl is embeddable, and i blieve that python is as well. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "Chris Ess" <azarin () tokimi net> To: "Giorgio" <deneb () unixwave org> Cc: <vuln-dev () securityfocus com> Sent: Sunday, November 25, 2001 10:05 AM Subject: Re: Buffer overflow in Python code
I've found buffer overflow in Python 2.1.1 source code. (Maybe there're many others) The buffer overflow is in the file traceback.c in the directory Python of the Python source code. Simply there's a sprintf done in this way: sprintf(linebuf,FMT,filename,lineno,name) What cause the overflow is the name parameter which could be > 1000 (linebuf size) Alex Martelli <aleax () aleax it> has submitted the bug on sourceforge as 485175, and produced the follow script to demostrate the overflow:Using the supplied script, I did achieve a segfault during the traceback with Python 2.1. However, I'm hardpressed to figure out how one would exploit this... After all, the Python binary is rarely SUID or SGID. (I know it's not on my system.) Is this a bug in the code? Yes. Is this a security concern? Right now, I'm inclined to say 'no'. However if it is, I would appreciate being told why. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
Current thread:
- Buffer overflow in Python code Giorgio (Nov 25)
- Re: Buffer overflow in Python code Chris Ess (Nov 25)
- Re: Buffer overflow in Python code Ryan Permeh (Nov 26)
- Re: Buffer overflow in Python code Florian Weimer (Nov 26)
- Re: Buffer overflow in Python code Chris Ess (Nov 25)