[issue29150] Bad cast@ _mysql_ResultObject_Initialize() result in code execution

2017-01-04 Thread zeroinside 

New submission from zeroinside:

Hello.
I found a vulnerability in _mysql module.
PoC below:
#!/usr/bin/python2.7
import _mysql
RDX=0x
payload="A"*2048
_mysql.result(payload,RDX)


It's exploitable bug, I'm working on exploit.
(gdb) run mysql.py 
Starting program: /usr/bin/python2.7 mysql.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x738e7f3c in mysql_use_result () from /usr/lib/libmysqlclient.so.18
(gdb) info reg
rax0x4141414141414141   4702111234474983745
rbx0x77e91b90   140737352637328
rcx0x0  0
rdx0x   1717986918
rsi0x77eb1ec0   140737352769216
rdi0x557f9890   93824995006608
rbp0x7fffe120   0x7fffe120
rsp0x7fffe0a8   0x7fffe0a8
r8 0x7fffdd00   140737488346368
r9 0x7fffdd80   140737488346496
r100x557824f0   93824994518256
r110x2  2
r120x557560a0   93824994336928
r130x0  0
r140x77e939c7   140737352645063
r150x77e91b90   140737352637328
rip0x738e7f3c   0x738e7f3c 
eflags 0x10206  [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
(gdb) disas $rip
Dump of assembler code for function mysql_use_result:
   0x738e7f30 <+0>: push   %rbp
   0x738e7f31 <+1>: mov0x4d0(%rdi),%rax
   0x738e7f38 <+8>: mov%rsp,%rbp
   0x738e7f3b <+11>:pop%rbp
=> 0x738e7f3c <+12>:mov0x18(%rax),%rax
   0x738e7f40 <+16>:jmpq   *%rax
End of assembler dump.
(gdb)

--
components: Library (Lib)
messages: 284629
nosy: zeroinside
priority: normal
severity: normal
status: open
title: Bad cast@ _mysql_ResultObject_Initialize() result in code execution
type: security
versions: Python 2.7

___
Python tracker 
<http://bugs.python.org/issue29150>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29398] memory corruption in xxlimited

2017-01-31 Thread zeroinside 

New submission from zeroinside:

Hello
I found incorrect gc behavior in xxlimited module.
After an hour of investigation, I'm still not sure its security related problem.
I have a partial control on RBP register, depends of memory layout.



GDB:
Starting program: /usr/bin/python3.6 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Python 3.6.0 (default, Jan 16 2017, 12:12:55) 
[GCC 6.3.1 20170109] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import xxlimited
>>> a=xxlimited.new()
>>> del a

Program received signal SIGSEGV, Segmentation fault.
0x773d612d in PyArena_Free () from /usr/lib/libpython3.6m.so.1.0
(gdb) info reg
rax0x77457270   140737341911664
rbx0x77f812b8   140737353618104
rcx0x62aa00 6466048
rdx0x77457270   140737341911664
rsi0x1  1
rdi0x77f81300   140737353618176
rbp0x50a29  0x50a29
rsp0x7fffe210   0x7fffe210
r8 0x77f81000   140737353617408
r9 0x1c 28
r100x1b 27
r110x12300  74496
r120x77f812b8   140737353618104
r130x6fafd0 7319504
r140x73e7b570   140737285436784
r150x73e7b5a0   140737285436832
rip0x773d612d   0x773d612d 
eflags 0x10202  [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es     0x0  0
fs 0x0  0
gs 0x0  0

root@/home/zeroinside/python/pyburst3.6/crash $ /usr/local/bin/python3.6 
xlimited_poc.py 
ASAN:DEADLYSIGNAL
=
==5082==ERROR: AddressSanitizer: SEGV on unknown address 0x0008 (pc 
0x00557469 bp 0x0fe0603ea23d sp 0x7fff76e98c20 T0)
==5082==The signal is caused by a WRITE memory access.
==5082==Hint: address points to the zero page.
#0 0x557468 in PyObject_GC_UnTrack 
/home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9
#1 0x66d0af in subtype_dealloc 
/home/zeroinside/Downloads/Python-3.6.0/Objects/typeobject.c:1133:5
#2 0x61e557 in _PyDict_DelItem_KnownHash 
/home/zeroinside/Downloads/Python-3.6.0/Objects/dictobject.c:1641:5
#3 0x7970c0 in _PyEval_EvalFrameDefault 
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:2187:19
#4 0x7aef44 in PyEval_EvalFrameEx 
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:718:12
#5 0x7aef44 in _PyEval_EvalCodeWithName 
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4119
#6 0x79571c in PyEval_EvalCodeEx 
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4140:12
#7 0x79571c in PyEval_EvalCode 
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:695
#8 0x5295e7 in run_mod 
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:980:9
#9 0x5295e7 in PyRun_FileExFlags 
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:933
#10 0x527e75 in PyRun_SimpleFileExFlags 
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:396:13
#11 0x55340c in run_file 
/home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:320:11
#12 0x55340c in Py_Main 
/home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:780
#13 0x519776 in main 
/home/zeroinside/Downloads/Python-3.6.0/./Programs/python.c:69:11
#14 0x7f0300e01290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#15 0x432179 in _start (/usr/local/bin/python3.6+0x432179)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 in 
PyObject_GC_UnTrack
==5082==ABORTING

--
components: Build
files: xlimited.py
messages: 286536
nosy: zeroinside
priority: normal
severity: normal
status: open
title: memory corruption in xxlimited
type: security
versions: Python 3.6
Added file: http://bugs.python.org/file46465/xlimited.py

___
Python tracker 
<http://bugs.python.org/issue29398>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com