subject:"\[issue32757\] Python 2.7 \: Buffer Overflow vulnerability in exec\(\) function"

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-03-15 Thread Serhiy Storchaka


Change by Serhiy Storchaka :


--
type: security -> crash

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-03-15 Thread Serhiy Storchaka


Change by Serhiy Storchaka :


--
resolution:  -> wont fix
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-10 Thread Serhiy Storchaka


Serhiy Storchaka  added the comment:

I was going to write that this issue was fixed in Python 3 and it was decided 
to not backport the fix to Python 2. This is mostly true. But unfortunately 
there is a similar way of crashing Python 3
(issue32758).

This isn't a vulnerability. To exploit this bug the attacker need ability to 
execute an arbitrary code. An in that case crashing Python is not the worst 
result.

This bug can cause a problem with generated code (as in your joke example). In 
any case I have doubts that the fix for Python 3 will be backported to Python 
2. I don't see a simple solution, the code of Python 2 and Python 3 is 
different enough, and there is less than 2 years of official support of Python 
2.7 left. I suggest to close this issue with the resolution "wont fix".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-09 Thread Terry J. Reedy


Terry J. Reedy  added the comment:

#32758 is about situations where stackoverflow *can* occur in 3.x.

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-09 Thread Terry J. Reedy


Terry J. Reedy  added the comment:

I am pretty sure that if one deletes the prefix 'exec(' and suffic ')' and just 
executes argument expression that has something on the order of 1 chr(nn) 
calls added together, one would get the same result.  In other words, I believe 
that the outer exec and the origin of the expression and the individual nn 
values are irrelevant.

It is known that the Python compiler handles at least some recursive 
expressions with recursion and therefore has limits on the complexity of 
expressions it can handle.  The stackoverflow crash, instead of an exception, 
*is* a bug.  It was fixed sometime in 3.x.  With 3.6.4:

C:\Users\Terry>python f:/dev/tem/poc.py
RecursionError: maximum recursion depth exceeded during compilation

Perhaps one of the compiler experts knows whether the fix cannot be backported 
(within reasonable effort) or just has not been.

--
nosy: +benjamin.peterson, brett.cannon, ncoghlan, terry.reedy, yselivanov

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-03 Thread hadimene


hadimene  added the comment:

the comments lines are not needed !

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-03 Thread hadimene


hadimene  added the comment:

Hello !

Thanks for the fast response but I tested and print() appears to be vulnerable 
too using chr() characters and yes the junk comments are useless ...

--
Added file: https://bugs.python.org/file47423/poc-print.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-03 Thread Josh Rosenberg


Josh Rosenberg  added the comment:

A server that exposes arbitrary exec's to user-submitted data can already be 
controlled. exec can do anything that Python can do, that's the whole point. 
Sure, crashing Python is bad, but it could also keep Python alive and start 
dumping the database to arbitrary people, deleting files, etc.

Also, your Proof of Concept code is cluttered with pointless garbage AFAICT. Do 
you really need all the unused multiline strings to trigger this?

--
nosy: +josh.r

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

2018-02-03 Thread hadimene


New submission from hadimene :

Hello !

Recently while debugging my python code I discovered an stack-based Buffer 
overflow Vulnerability in Python 2.7 and lower versions .
This vulnerability is caused by exec() builtin function when we create 
"recursive" function using exec() ...

Example :
We want to Print "hello World !" str and we encode print "hello world" ) using 
chr() or unichr()

print "hello World " 

becomes

exec(chr(112)+chr(114)+chr(105)+chr(110)+chr(116)+chr(40)+chr(39)+chr(104)+chr(101)+chr(108)+chr(108)+chr(111)+chr(32)+chr(119)+chr(111)+chr(114)+chr(108)+chr(100)+chr(32)+chr(33)+chr(32)+chr(39)+chr(41)+chr(10)+chr(35))

and if we re-encode the result : exec() the result would be

exec(chr(101)+chr(120)+chr(101)+chr(99)+chr(40)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(53)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(54)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(
 
104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(51)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(53)+chr(41)+chr(41)+chr(35))

If you do this manipulation 6-7 times and you run the encoded script then the 
Python Interpreter program will crash with a Segmentation Fault as error :
(https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-191359.png)

We can check the Segmentation Fault using gdb ( GNU Debugger ) 
https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-202241.png
 )

To get an Segmentation Fault error you can just run poc.py !

Conclusion

In my opinion , to patch this vulnerability developers need to give more 
memory/buffer to the exec() arguments , and verify if the buffer can contains 
exec() arguments in integrality without any overflow !
An attacker could control the memory of an server written in python if the 
builtin function exec() is used and python version i of the server is 2.7 or 
lower (every version of python2 could be vulnerable like Python 2.9 but I 
didn't tried yet )

--
components: Interpreter Core
files: poc.py
messages: 311561
nosy: hadimene
priority: normal
severity: normal
status: open
title: Python 2.7 : Buffer Overflow vulnerability in exec() function
type: security
versions: Python 2.7
Added file: https://bugs.python.org/file47422/poc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

[issue32757] Python 2.7 : Buffer Overflow vulnerability in exec() function

9 matches

Site Navigation

Mail list logo

Footer information