[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Nick Coghlan ncoghlan at gmail.com
Tue Feb 25 14:41:54 CET 2014

On 25 Feb 2014 23:23, "Donald Stufft" <donald at stufft.io> wrote:
> On Feb 25, 2014, at 8:17 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > On Tue, 25 Feb 2014 08:08:09 -0500
> > Donald Stufft <donald at stufft.io> wrote:
> >>
> >> Hash randomization is broken and doesn't fix anything.
> >
> > Not sure what you mean with "doesn't fix anything". Hash collisions were
> > easy to exploit pre-hash randomization, they doesn't seem as easy to
> > exploit with it.
> Instead of pre-generating one set of values that can be be used to DoS
> you have to pre-generate 256 sets of values and try them until you get the
> right one. It's like putting on armor made of paper and saying it's
harder to
> stab you now.

This isn't quite correct - the hash randomisation can at least be combined
with aggressive process recycling to present a moving target that is harder
to attack. Without any hash randomisation at all, process recycling can't
help in the slightest.

SIPHash is still the real fix, although the reality remains that an
attacker that really wants to bring a site down is likely to achieve their
aims, regardless of whether or not there's a specific DoS vulnerability in
the application server.


> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140225/0e50a393/attachment.html>

More information about the Python-Dev mailing list