|
Message-ID: <CAFkuX4ucnBWhqejXb+GtBysgY4DRfzFfw0SORe-wO+CU6GMaUQ@mail.gmail.com> Date: Mon, 7 Jul 2014 10:50:32 -0600 From: "Don A. Bailey" <donb@...uritymouse.com> To: oss-security@...ts.openwall.com Subject: LMS-2014-07-07-1: python-lz4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All, Please find the bug report for python-lz4 attached below. Steeve Morin (@steeve), the maintainer of the python-lz4 package, has been great to work with. He worked quickly to get the package up to date by this morning. Thanks, Don A. Bailey Founder / CEO Lab Mouse Security @InfoSecMousehttps://www.securitymouse.com/ ############################################################################# # # Lab Mouse Security Report # LMS-2014-07-07-1 # Report ID: LMS-2014-07-07-1 Report Code Name: LAZARUS.7 Researcher Name: Don A. Bailey Researcher Organization: Lab Mouse Security Researcher Email: donb@...uritymouse.com Researcher Website: www.securitymouse.com Vulnerability Status: Reported Vulnerability Embargo: None Vulnerability Class: Integer Overflow Vulnerability Effect: Memory Corruption Vulnerability Impact: DoS, OOW, RCE Vulnerability DoS Practicality: Practical Vulnerability OOW Practicality: Practical Vulnerability RCE Practicality: Practical Vulnerability Criticality: Critical Vulnerability Scope: All versions of the python-lz4 package prior to r119. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit at this time. Lab Mouse Security has engineered reliable RCE payloads for any application that uses python-lz4, regardless of where or how the app uses the module in its code base. python2.7 was used in exploit development. python3 exploits have not been written, but preliminary analysis shows it is likely at risk to reliable RCE. Criticality Reasoning - --------------------- Due to the way Python manages objects in memory, there are multiple ways to craft a reliable exploit against python2.7 that will allow for RCE. It is notable that Don A. Bailey designed his exploit to meet the following conditions: - bypasses ASLR - bypasses NX - portable to any target architecture (tested on 32bit: ARM, x86) - no corresponding information disclosure is required to succeed, making this a 100% one-shot RCE for any python-lz4 use case Vulnerability Description - ------------------------- An integer overflow can occur when processing any variant of a "literal run" in the affected function. When certain payloads are processed, a pointer to an output buffer can be set to an address outside of the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable RCE exploit. The design of internal Python memory objects facilitates exploitation by allowing the attacker to manipulate how and when an object in memory will be scrubbed. The garbage collector can be triggered later, or the cleanup of an object can be performed at the attacker's will. This allows for an attack to occur at any time once the payload has corrupted memory, making it more difficult to identify whether an attack has already occurred. Vulnerability Resolution - ------------------------ Resolved. References - ----------https://github.com/steeve/python-lz4/commit/76c27bf5d52637b9a12de33b95bd884da2fed64dhttp://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html # ############################################################################# -----BEGIN PGP SIGNATURE----- Version: GnuPG iQIcBAEBAgAGBQJTusUoAAoJEByNNxY/DGpEODoP/0ZYaN/QOiJhk2CSc7tWKdfj wYRj3/A0m5/kAefqmgilfeC3NPCEv+CRD7AM07X5Rg/EyCGy4RvydQhPcun1UaDQ Pn7gfYNIY2ysM1IMacDY5ujQrRf7GSHxWDrkViDXkfrJbYVUINgjhPqrtrx5T1ZS k3UL+jdfUyEfYQfm4YPtVHnZJ01RPY4xRE+n/i7xGaVeNTSB3AaKqeKiCGeYAKXY vyTE3PVnVdtTaHQ7XXDi9qRRd4PhNa8IISBvAaUERGNftKRPpbztWx7H1ACNy8cE pnKL2AEjQyEwQeKoSNhafDMUzy/2cB8CJTsmq1iLK1TqsbPHLz3mOaLnW8meXd0i IRXufZMBudu44cRoM1nc0XmwVykyxFQnbuxgpJofyv6wEAKj+dd/OfI/ZP6LJSV1 R9jbKNYMJj44UBgIeXn/HjeI/YUfhshZNj2sZrjtNd6RdAT8gUVJkXMkWbhS0Jmf JDpmLu1HfMeI4BF4ylQukV/2enZHgLbJNut0E/V7pdxCKBhoX5of4YsLSLVDoJGQ qntSw77UHXbcEMfevBXd6ZPG9TrcMw/vYVLhwUHfZrJWukteLyAw44p2afyw6wzw EfMbceDxHBaj49QLvEVdAlJ8tF47ehIGHap7982vefHfcMqxTsrP9njMFtIVGouE DRKkrldSf5S5HIPQo/xA =HWn4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.