Exploit the possiblities

Python 3.6 audioop.lin2adpcm Buffer Over-Read

Python 3.6 audioop.lin2adpcm Buffer Over-Read
Posted Nov 2, 2015
Authored by John Leitch

Python versions 2.7 and 3.4 through 3.6 audioop.lin2adpcm function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1436 of Modules\audioop.c.

tags | advisory, python
MD5 | 8fd04559881dffdf8c326ab397ef5309

Python 3.6 audioop.lin2adpcm Buffer Over-Read

Change Mirror Download
Title: Python 2.7 and 3.4 to 3.6 audioop.lin2adpcm Buffer Over-read
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-audioop-lin2adpcm-Buffer-Over-read
Url2: http://bugs.python.org/issue24457
Resolution: Fixed

The Python 2.7, 3.4 - 3.6 audioop.lin2adpcm function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1436 of Modules\audioop.c:

} else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
return 0;

step = stepsizeTable[index];

Because the index variable can be controlled via the third parameter of audioop.lin2adpcm, this behavior could potentially be exploited to disclose arbitrary memory, should an application expose the parameter to the attack surface.

0:000> r
eax=00000001 ebx=00000001 ecx=2fd921bb edx=00000002 esi=00000001 edi=01e79160
eip=1e01c286 esp=0027fcdc ebp=df531970 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
python27!audioop_lin2adpcm+0xd6:
1e01c286 8b34adb0dd1f1e mov esi,dword ptr python27!stepsizeTable (1e1fddb0)[ebp*4] ss:002b:9b6c4370=????????
0:000> k
ChildEBP RetAddr
0027fd18 1e0aafd7 python27!audioop_lin2adpcm+0xd6
0027fd30 1e0edd10 python27!PyCFunction_Call+0x47
0027fd5c 1e0f017a python27!call_function+0x2b0
0027fdcc 1e0f1150 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f11b2 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e11707a python27!PyEval_EvalCode+0x22
0027fe44 1e1181c5 python27!run_mod+0x2a
0027fe64 1e118760 python27!PyRun_FileExFlags+0x75
0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d python27!Py_Main+0x965
0027ff80 76477c04 python!__tmainCRTStartup+0x10f
0027ff94 7799ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000>

To fix this issue, it is recommended that bounds checking be performed prior to accessing stepsizeTable.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close