0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Python 3.6 audioop.lin2adpcm / audioop.adpcm2lin Buffer Over-Read Vulnerabilities

Author

John Leitch

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

Title: Python 2.7 and 3.4 to 3.6 audioop.adpcm2lin Buffer Over-read
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-audioop-adpcm2lin-Buffer-Over-read
Url2: http://bugs.python.org/issue24456
Resolution: Fixed

The Python 2.7, 3.4 - 3.6 audioop.adpcm2lin function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1545 of Modules\audioop.c:

    } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
        return 0;

    step = stepsizeTable[index];

    Because the index variable can be controlled via the third parameter of audioop.adpcm2lin, this behavior could potentially be exploited to disclose arbitrary memory, should an application expose the parameter to the attack surface.

0:000> r
eax=01f13474 ebx=00000000 ecx=00000002 edx=01f13460 esi=01f13460 edi=00000001
eip=1e01c4f0 esp=0027fcdc ebp=7e86ecdd iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
python27!audioop_adpcm2lin+0xe0:
1e01c4f0 8b04adb0dd1f1e  mov     eax,dword ptr python27!stepsizeTable (1e1fddb0)[ebp*4] ss:002b:183b9124=????????
0:000> k
ChildEBP RetAddr
0027fd18 1e0aafd7 python27!audioop_adpcm2lin+0xe0
0027fd30 1e0edd10 python27!PyCFunction_Call+0x47
0027fd5c 1e0f017a python27!call_function+0x2b0
0027fdcc 1e0f1150 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f11b2 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e11707a python27!PyEval_EvalCode+0x22
0027fe44 1e1181c5 python27!run_mod+0x2a
0027fe64 1e118760 python27!PyRun_FileExFlags+0x75
0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d python27!Py_Main+0x965
0027ff80 76477c04 python!__tmainCRTStartup+0x10f
0027ff94 7799ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000>

To fix this issue, it is recommended that bounds checking be performed prior to accessing stepsizeTable.

Title: Python 2.7 and 3.4 to 3.6 audioop.lin2adpcm Buffer Over-read
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-audioop-lin2adpcm-Buffer-Over-read
Url2: http://bugs.python.org/issue24457
Resolution: Fixed

The Python 2.7, 3.4 - 3.6 audioop.lin2adpcm function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1436 of Modules\audioop.c:

    } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
        return 0;

    step = stepsizeTable[index];

    Because the index variable can be controlled via the third parameter of audioop.lin2adpcm, this behavior could potentially be exploited to disclose arbitrary memory, should an application expose the parameter to the attack surface.

0:000> r
eax=00000001 ebx=00000001 ecx=2fd921bb edx=00000002 esi=00000001 edi=01e79160
eip=1e01c286 esp=0027fcdc ebp=df531970 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
python27!audioop_lin2adpcm+0xd6:
1e01c286 8b34adb0dd1f1e  mov     esi,dword ptr python27!stepsizeTable (1e1fddb0)[ebp*4] ss:002b:9b6c4370=????????
0:000> k
ChildEBP RetAddr
0027fd18 1e0aafd7 python27!audioop_lin2adpcm+0xd6
0027fd30 1e0edd10 python27!PyCFunction_Call+0x47
0027fd5c 1e0f017a python27!call_function+0x2b0
0027fdcc 1e0f1150 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f11b2 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e11707a python27!PyEval_EvalCode+0x22
0027fe44 1e1181c5 python27!run_mod+0x2a
0027fe64 1e118760 python27!PyRun_FileExFlags+0x75
0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d python27!Py_Main+0x965
0027ff80 76477c04 python!__tmainCRTStartup+0x10f
0027ff94 7799ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000>

To fix this issue, it is recommended that bounds checking be performed prior to accessing stepsizeTable.

#  0day.today [2024-06-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Python 3.6 audioop.lin2adpcm / audioop.adpcm2lin Buffer Over-Read Vulnerabilities

Report Error

Report Error