Re: Buffer overflow in Python code

From: Ryan Permeh (ryanat_private)
Date: Mon Nov 26 2001 - 10:45:20 PST

Next message: Magniat_private: "Malicious use of grc.com"

Previous message: KF: "Re: Weird shellcode issues."
In reply to: Chris Ess: "Re: Buffer overflow in Python code"
Next in thread: Florian Weimer: "Re: Buffer overflow in Python code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

yes and no,  we released a sort of similar bug in asp, where feilds were
overflowable.  using unicode, we were able to upload a asp script and cause
an overflow that executed in system privs (unicode was not system).  I know
there are python ports to win32, so this could apply there too.  you need to
be able to get a script there in the first place, but then you may be able
to do more, perhaps at a higher context than what you need to upload a
script.  This may also be applicible to any type of embedded python system,
perhaps used by a suid program.  I know perl is embeddable, and i blieve
that python is as well.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "Chris Ess" <azarinat_private>
To: "Giorgio" <denebat_private>
Cc: <vuln-devat_private>
Sent: Sunday, November 25, 2001 10:05 AM
Subject: Re: Buffer overflow in Python code


> > I've found buffer overflow in Python 2.1.1 source code. (Maybe
> > there're many others) The buffer overflow is in the file traceback.c
> > in the directory Python of the Python source code.
> >
> > Simply there's a sprintf done in this way:
> > sprintf(linebuf,FMT,filename,lineno,name) What cause the overflow is
> > the name parameter which could be > 1000 (linebuf size) Alex Martelli
> > <aleaxat_private> has submitted the bug on sourceforge as 485175, and
> > produced the follow script to demostrate the overflow:
>
> Using the supplied script, I did achieve a segfault during the traceback
> with Python 2.1.  However, I'm hardpressed to figure out how one would
> exploit this...  After all, the Python binary is rarely SUID or SGID.  (I
> know it's not on my system.)
>
> Is this a bug in the code?  Yes.
>
> Is this a security concern?  Right now, I'm inclined to say 'no'.  However
> if it is, I would appreciate being told why.
>
> Sincerely,
> Chris Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
>
>
>

Next message: Magniat_private: "Malicious use of grc.com"
Previous message: KF: "Re: Weird shellcode issues."
In reply to: Chris Ess: "Re: Buffer overflow in Python code"
Next in thread: Florian Weimer: "Re: Buffer overflow in Python code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 11:00:43 PST