[Python-Dev] Re: mysnprintf broken

M.-A. Lemburg mal@lemburg.com
Mon, 26 Nov 2001 16:20:00 +0100 

Neil Schemenauer wrote:
> 
> M.-A. Lemburg wrote:
> > Note that the version in Python does not result in *stack* overflows
> > which are the type of buffer overflow usually used in exploits.
> ...
> > The only attack on this kind of emulation is a denial of service
> > attack.
> 
> That is a bold statement to make.  It is also not true.  Heap overflows
> _can_ be exploited to execute arbitrary code.  I believe there was a
> phrack article a few years ago on the subject.

I know that they can be exploited (should have phrased the reply
more carefully), but I don't think that the exploits described
in phrack apply to Python's use of the memory buffer. 

In case sprintf() overflows, Python will detect this and immediately
dump core. I don't see how this could be used by an attacker,
except for killing off processes (the DOS attack); the exploit
described in Phrack 57 (http://www.phrack.org/) only works on 
systems which use Doug Lea's malloc implementation,
don't define snprintf() in their C lib and have sudo installed.
Should be a rather small share of installed OSes ;-)

> > In the 3 cases where this API is used in Python, an overflow
> > is not possible (unless the native sprintf() implementation
> > is broken).
> 
> That may be the case today but I'm sure that snprintf will start getting
> more use now that it is available.  We really should have a better
> implementation than mysnprintf.

No objection at all -- I wrote the emulation simply to add at least
some level of protection against buffer overflows for platforms
which don't provide snprintf() in their own C lib. Before that
Python used sprintf().

I suppose we could use the code from 
stringobject.c:PyString_FromFormatV() as starting point for our own
little snprintf() implementation...

-- 
Marc-Andre Lemburg
CEO eGenix.com Software GmbH
______________________________________________________________________
Consulting & Company:                           http://www.egenix.com/
Python Software:                        http://www.lemburg.com/python/