yes and no, we released a sort of similar bug in asp, where feilds were overflowable. using unicode, we were able to upload a asp script and cause an overflow that executed in system privs (unicode was not system). I know there are python ports to win32, so this could apply there too. you need to be able to get a script there in the first place, but then you may be able to do more, perhaps at a higher context than what you need to upload a script. This may also be applicible to any type of embedded python system, perhaps used by a suid program. I know perl is embeddable, and i blieve that python is as well. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "Chris Ess" <azarinat_private> To: "Giorgio" <denebat_private> Cc: <vuln-devat_private> Sent: Sunday, November 25, 2001 10:05 AM Subject: Re: Buffer overflow in Python code > > I've found buffer overflow in Python 2.1.1 source code. (Maybe > > there're many others) The buffer overflow is in the file traceback.c > > in the directory Python of the Python source code. > > > > Simply there's a sprintf done in this way: > > sprintf(linebuf,FMT,filename,lineno,name) What cause the overflow is > > the name parameter which could be > 1000 (linebuf size) Alex Martelli > > <aleaxat_private> has submitted the bug on sourceforge as 485175, and > > produced the follow script to demostrate the overflow: > > Using the supplied script, I did achieve a segfault during the traceback > with Python 2.1. However, I'm hardpressed to figure out how one would > exploit this... After all, the Python binary is rarely SUID or SGID. (I > know it's not on my system.) > > Is this a bug in the code? Yes. > > Is this a security concern? Right now, I'm inclined to say 'no'. However > if it is, I would appreciate being told why. > > Sincerely, > Chris Ess > System Administrator / CDTT (Certified Duct Tape Technician) > > >
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 11:00:43 PST