Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in PyACL #1700

Closed
joshua-triplett-mandiant opened this issue May 11, 2021 · 0 comments · Fixed by #1701
Closed

Integer overflow in PyACL #1700

joshua-triplett-mandiant opened this issue May 11, 2021 · 0 comments · Fixed by #1701

Comments

@joshua-triplett-mandiant
Copy link
Contributor

Context
When an ACL is resized to add an ACE, it is possible to craft an integer overflow targeting the calculated required_size. This results in a smaller than required buffer allocation which causes its memcpy of the ACL data to result in a heap overflow.

Expected behavior and actual behavior

  • Expected Behavior: Throw an exception indicating that the ACE could not be added because there is not enough room left in the ACL before hitting the size limit.
  • Actual Behavior: The required_size is overflowed and the memcpy results in a heap overflow.

Steps to reproduce the problem
This was reproduced by adding roughly 1800 ACEs to an ACL. The exact count of ACEs that need to be added before reproducing the issue will vary based on the length of the SID in the ACE entry and the current size of the ACL being modified.
Reproduction Goal: Add an ACE to an ACL such that the new size would be larger than 0xFFFF.

Version of Python and pywin32
Tested on Python 3.5.2 with pywin32 b300
Appears to effect version b157 through b300

CVE
CVE-2021-32559 (Reserved)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant