Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Jul 2014 10:50:32 -0600
From: "Don A. Bailey" <donb@...uritymouse.com>
To: oss-security@...ts.openwall.com
Subject: LMS-2014-07-07-1: python-lz4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

Please find the bug report for python-lz4 attached below.

Steeve Morin (@steeve), the maintainer of the python-lz4 package, has been
great to work with. He worked quickly to get the package up to date by this
morning.

Thanks,
Don A. Bailey
Founder / CEO
Lab Mouse Security
@InfoSecMousehttps://www.securitymouse.com/

#############################################################################
#
# Lab Mouse Security Report
# LMS-2014-07-07-1
#

Report ID: LMS-2014-07-07-1
Report Code Name: LAZARUS.7

Researcher Name: Don A. Bailey
Researcher Organization: Lab Mouse Security
Researcher Email: donb@...uritymouse.com
Researcher Website: www.securitymouse.com

Vulnerability Status: Reported
Vulnerability Embargo: None

Vulnerability Class: Integer Overflow
Vulnerability Effect: Memory Corruption
Vulnerability Impact: DoS, OOW, RCE
Vulnerability DoS Practicality: Practical
Vulnerability OOW Practicality: Practical
Vulnerability RCE Practicality: Practical
Vulnerability Criticality: Critical

Vulnerability Scope:
All versions of the python-lz4 package prior to r119.
32bit variants of the package are critically affected.
64bit variants are deemed infeasible to exploit at this time.

Lab Mouse Security has engineered reliable RCE payloads for any application
that uses python-lz4, regardless of where or how the app uses the module in
its code base.

python2.7 was used in exploit development. python3 exploits have not been
written, but preliminary analysis shows it is likely at risk to reliable
RCE.

Criticality Reasoning
- ---------------------
Due to the way Python manages objects in memory, there are multiple ways to
craft a reliable exploit against python2.7 that will allow for RCE. It is
notable that Don A. Bailey designed his exploit to meet the following
conditions:
 - bypasses ASLR
 - bypasses NX
 - portable to any target architecture (tested on 32bit: ARM, x86)
 - no corresponding information disclosure is required to succeed, making
   this a 100% one-shot RCE for any python-lz4 use case

Vulnerability Description
- -------------------------
An integer overflow can occur when processing any variant of a "literal run"
in the affected function. When certain payloads are processed, a pointer to
an output buffer can be set to an address outside of the output buffer. Since
the attacker can specify exact offsets in memory, it is very easy to create
a reliable RCE exploit.

The design of internal Python memory objects facilitates exploitation by
allowing the attacker to manipulate how and when an object in memory will be
scrubbed. The garbage collector can be triggered later, or the cleanup of
an object can be performed at the attacker's will. This allows for an attack
to occur at any time once the payload has corrupted memory, making it more
difficult to identify whether an attack has already occurred.

Vulnerability Resolution
- ------------------------
Resolved.

References
- ----------https://github.com/steeve/python-lz4/commit/76c27bf5d52637b9a12de33b95bd884da2fed64dhttp://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html

#
#############################################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQIcBAEBAgAGBQJTusUoAAoJEByNNxY/DGpEODoP/0ZYaN/QOiJhk2CSc7tWKdfj
wYRj3/A0m5/kAefqmgilfeC3NPCEv+CRD7AM07X5Rg/EyCGy4RvydQhPcun1UaDQ
Pn7gfYNIY2ysM1IMacDY5ujQrRf7GSHxWDrkViDXkfrJbYVUINgjhPqrtrx5T1ZS
k3UL+jdfUyEfYQfm4YPtVHnZJ01RPY4xRE+n/i7xGaVeNTSB3AaKqeKiCGeYAKXY
vyTE3PVnVdtTaHQ7XXDi9qRRd4PhNa8IISBvAaUERGNftKRPpbztWx7H1ACNy8cE
pnKL2AEjQyEwQeKoSNhafDMUzy/2cB8CJTsmq1iLK1TqsbPHLz3mOaLnW8meXd0i
IRXufZMBudu44cRoM1nc0XmwVykyxFQnbuxgpJofyv6wEAKj+dd/OfI/ZP6LJSV1
R9jbKNYMJj44UBgIeXn/HjeI/YUfhshZNj2sZrjtNd6RdAT8gUVJkXMkWbhS0Jmf
JDpmLu1HfMeI4BF4ylQukV/2enZHgLbJNut0E/V7pdxCKBhoX5of4YsLSLVDoJGQ
qntSw77UHXbcEMfevBXd6ZPG9TrcMw/vYVLhwUHfZrJWukteLyAw44p2afyw6wzw
EfMbceDxHBaj49QLvEVdAlJ8tF47ehIGHap7982vefHfcMqxTsrP9njMFtIVGouE
DRKkrldSf5S5HIPQo/xA
=HWn4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.