[issue41208] An exploitable segmentation fault in marshal module
Iman Sharafodin
report at bugs.python.org
Sat Jul 4 07:56:29 EDT 2020
New submission from Iman Sharafodin <iman.sharafodin at gmail.com>:
It seems that all versions of Python 3 are vulnerable to de-marshaling the attached file (Python file is included). I've tested on Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2. This is due to lack of proper validation at Objects/tupleobject.c:413 (heads/master:b40e434).
This is the result of GDB's Exploitable plugin (it's exploitable):
Description: Access violation during branch instruction
Short description: BranchAv (4/22)
Hash: e04b830dfb409a8bbf67bff96ff0df44.4d31b48b56e0c02ed51520182d91a457
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on a branch instruction, which may indicate that the control flow is tainted.
Other tags: AccessViolation (21/22)
----------
components: Interpreter Core
files: Crash.zip
messages: 372990
nosy: Iman Sharafodin
priority: normal
severity: normal
status: open
title: An exploitable segmentation fault in marshal module
type: security
versions: Python 3.10
Added file: https://bugs.python.org/file49295/Crash.zip
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41208>
_______________________________________
More information about the Python-bugs-list
mailing list