Python 2.7 : Buffer Overflow vulnerability in exec() function

[hadimene]

BPO	32757
Nosy	@brettcannon, @terryjreedy, @ncoghlan, @benjaminp, @serhiy-storchaka, @1st1, @MojoVampire
Files	poc.py poc-print.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2018-03-15.08:21:20.442>
created_at = <Date 2018-02-03.17:09:12.166>
labels = ['interpreter-core', 'type-crash']
title = 'Python 2.7 : Buffer Overflow vulnerability in exec() function'
updated_at = <Date 2018-03-15.08:21:54.599>
user = 'https://bugs.python.org/hadimene'

bugs.python.org fields:

activity = <Date 2018-03-15.08:21:54.599>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2018-03-15.08:21:20.442>
closer = 'serhiy.storchaka'
components = ['Interpreter Core']
creation = <Date 2018-02-03.17:09:12.166>
creator = 'hadimene'
dependencies = []
files = ['47422', '47423']
hgrepos = []
issue_num = 32757
keywords = []
message_count = 7.0
messages = ['311561', '311562', '311563', '311564', '311918', '311919', '311943']
nosy_count = 8.0
nosy_names = ['brett.cannon', 'terry.reedy', 'ncoghlan', 'benjamin.peterson', 'serhiy.storchaka', 'yselivanov', 'josh.r', 'hadimene']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue32757'
versions = ['Python 2.7']

[hadimene]

Hello !

Recently while debugging my python code I discovered an stack-based Buffer overflow Vulnerability in Python 2.7 and lower versions .
This vulnerability is caused by exec() builtin function when we create "recursive" function using exec() ...

Example :
We want to Print "hello World !" str and we encode print "hello world" ) using chr() or unichr()

print "hello World "

becomes

exec(chr(112)+chr(114)+chr(105)+chr(110)+chr(116)+chr(40)+chr(39)+chr(104)+chr(101)+chr(108)+chr(108)+chr(111)+chr(32)+chr(119)+chr(111)+chr(114)+chr(108)+chr(100)+chr(32)+chr(33)+chr(32)+chr(39)+chr(41)+chr(10)+chr(35))

and if we re-encode the result : exec() the result would be

exec(chr(101)+chr(120)+chr(101)+chr(99)+chr(40)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(53)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(54)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(49)+chr(52)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(56)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(51)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(50)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(57)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(52)+chr(49)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(49)+chr(48)+chr(41)+chr(43)+chr(99)+chr(104)+chr(114)+chr(40)+chr(51)+chr(53)+chr(41)+chr(41)+chr(35))

If you do this manipulation 6-7 times and you run the encoded script then the Python Interpreter program will crash with a Segmentation Fault as error :
(https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-191359.png)

We can check the Segmentation Fault using gdb ( GNU Debugger ) https://lepetithacker.files.wordpress.com/2018/01/capture-dc3a9cran-2018-01-31-202241.png )

To get an Segmentation Fault error you can just run poc.py !

Conclusion

In my opinion , to patch this vulnerability developers need to give more memory/buffer to the exec() arguments , and verify if the buffer can contains exec() arguments in integrality without any overflow !
An attacker could control the memory of an server written in python if the builtin function exec() is used and python version i of the server is 2.7 or lower (every version of python2 could be vulnerable like Python 2.9 but I didn't tried yet )

[MojoVampire]

A server that exposes arbitrary exec's to user-submitted data can already be controlled. exec can do anything that Python can do, that's the whole point. Sure, crashing Python is bad, but it could also keep Python alive and start dumping the database to arbitrary people, deleting files, etc.

Also, your Proof of Concept code is cluttered with pointless garbage AFAICT. Do you really need all the unused multiline strings to trigger this?

[hadimene]

Hello !

Thanks for the fast response but I tested and print() appears to be vulnerable too using chr() characters and yes the junk comments are useless ...

[hadimene]

the comments lines are not needed !

[terryjreedy]

I am pretty sure that if one deletes the prefix 'exec(' and suffic ')' and just executes argument expression that has something on the order of 10000 chr(nn) calls added together, one would get the same result. In other words, I believe that the outer exec and the origin of the expression and the individual nn values are irrelevant.

It is known that the Python compiler handles at least some recursive expressions with recursion and therefore has limits on the complexity of expressions it can handle. The stackoverflow crash, instead of an exception, *is* a bug. It was fixed sometime in 3.x. With 3.6.4:

C:\Users\Terry>python f:/dev/tem/poc.py
RecursionError: maximum recursion depth exceeded during compilation

Perhaps one of the compiler experts knows whether the fix cannot be backported (within reasonable effort) or just has not been.

[terryjreedy]

bpo-32758 is about situations where stackoverflow *can* occur in 3.x.

[serhiy-storchaka]

I was going to write that this issue was fixed in Python 3 and it was decided to not backport the fix to Python 2. This is mostly true. But unfortunately there is a similar way of crashing Python 3
(bpo-32758).

This isn't a vulnerability. To exploit this bug the attacker need ability to execute an arbitrary code. An in that case crashing Python is not the worst result.

This bug can cause a problem with generated code (as in your joke example). In any case I have doubts that the fix for Python 3 will be backported to Python 2. I don't see a simple solution, the code of Python 2 and Python 3 is different enough, and there is less than 2 years of official support of Python 2.7 left. I suggest to close this issue with the resolution "wont fix".