#############################################################################
#
# Lab Mouse Security Report
# LMS-2014-07-07-1
#

Report ID: LMS-2014-07-07-1

Researcher Name: Don A. Bailey
Researcher Organization: Lab Mouse Security
Researcher Email: [email protected]
Researcher Website: www.securitymouse.com

Vulnerability Status: Reported
Vulnerability Embargo: None

Vulnerability Class: Integer Overflow
Vulnerability Effect: Memory Corruption
Vulnerability Impact: DoS, OOW, RCE
Vulnerability DoS Practicality: Practical
Vulnerability OOW Practicality: Practical
Vulnerability RCE Practicality: Practical
Vulnerability Criticality: Critical

Vulnerability Scope:
All versions of the python-lz4 package prior to r119.
32bit variants of the package are critically affected.
64bit variants are deemed infeasible to exploit at this time.

Lab Mouse Security has engineered reliable RCE payloads for any application
that uses python-lz4, regardless of where or how the app uses the module in
its code base.

python2.7 was used in exploit development. python3 exploits have not been
written, but preliminary analysis shows it is likely at risk to reliable
RCE.

Criticality Reasoning
- ---------------------
Due to the way Python manages objects in memory, there are multiple ways to
craft a reliable exploit against python2.7 that will allow for RCE. It is
notable that Don A. Bailey designed his exploit to meet the following
conditions:
 - bypasses ASLR
 - bypasses NX
 - portable to any target architecture (tested on 32bit: ARM, x86)
 - no corresponding information disclosure is required to succeed, making
 this a 100% one-shot RCE for any python-lz4 use case

Vulnerability Description
- -------------------------
An integer overflow can occur when processing any variant of a "literal run"
in the affected function. When certain payloads are processed, a pointer to
an output buffer can be set to an address outside of the output buffer. Since
the attacker can specify exact offsets in memory, it is very easy to create
a reliable RCE exploit.

The design of internal Python memory objects facilitates exploitation by
allowing the attacker to manipulate how and when an object in memory will be
scrubbed. The garbage collector can be triggered later, or the cleanup of
an object can be performed at the attacker's will. This allows for an attack
to occur at any time once the payload has corrupted memory, making it more
difficult to identify whether an attack has already occurred.

Vulnerability Resolution
- ------------------------
Resolved.

References
- ----------
https://github.com/steeve/python-lz4/commit/76c27bf5d52637b9a12de33b95bd884da2fed64d
http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html

#
#############################################################################