Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in Python code

From: "Ryan Permeh" <ryan () eEye com>
Date: Mon, 26 Nov 2001 10:45:20 -0800
yes and no,  we released a sort of similar bug in asp, where feilds were
overflowable.  using unicode, we were able to upload a asp script and cause
an overflow that executed in system privs (unicode was not system).  I know
there are python ports to win32, so this could apply there too.  you need to
be able to get a script there in the first place, but then you may be able
to do more, perhaps at a higher context than what you need to upload a
script.  This may also be applicible to any type of embedded python system,
perhaps used by a suid program.  I know perl is embeddable, and i blieve
that python is as well.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "Chris Ess" <azarin () tokimi net>
To: "Giorgio" <deneb () unixwave org>
Cc: <vuln-dev () securityfocus com>
Sent: Sunday, November 25, 2001 10:05 AM
Subject: Re: Buffer overflow in Python code



I've found buffer overflow in Python 2.1.1 source code. (Maybe
there're many others) The buffer overflow is in the file traceback.c
in the directory Python of the Python source code.

Simply there's a sprintf done in this way:
sprintf(linebuf,FMT,filename,lineno,name) What cause the overflow is
the name parameter which could be > 1000 (linebuf size) Alex Martelli
<aleax () aleax it> has submitted the bug on sourceforge as 485175, and
produced the follow script to demostrate the overflow:


Using the supplied script, I did achieve a segfault during the traceback
with Python 2.1.  However, I'm hardpressed to figure out how one would
exploit this...  After all, the Python binary is rarely SUID or SGID.  (I
know it's not on my system.)

Is this a bug in the code?  Yes.

Is this a security concern?  Right now, I'm inclined to say 'no'.  However
if it is, I would appreciate being told why.

Sincerely,
Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
Previous By Date Next
Previous By Thread Next

Current thread: