Message 243257 - Python tracker (original) (raw)

The Python _winreg module suffers from a type confusion vulnerability wherein pointers can be passed directly in place of PyHKEY instances e.g. _winreg.QueryValue(0x41414141, "")

This behavior is due to the underlying PyHKEY_AsHKEY function of _winreg.c:

BOOL PyHKEY_AsHKEY(PyObject *ob, HKEY *pHANDLE, BOOL bNoneOK) { if (ob == Py_None) { if (!bNoneOK) { PyErr_SetString( PyExc_TypeError, "None is not a valid HKEY in this context"); return FALSE; } *pHANDLE = (HKEY)0; } else if (PyHKEY_Check(ob)) { PyHKEYObject *pH = (PyHKEYObject *)ob; pHANDLE = pH->hkey; } else if (PyInt_Check(ob) || PyLong_Check(ob)) { <<<<<< if ob is an int/long, this path is taken. / We also support integers */ PyErr_Clear(); pHANDLE = (HKEY)PyLong_AsVoidPtr(ob); <<<<<< ob is casted to a void here if (PyErr_Occurred()) return FALSE; } else { PyErr_SetString( PyExc_TypeError, "The object is not a PyHKEY object"); return FALSE; } return TRUE; }

When ob is an integer or long, the function casts it to a void. This behavior can be triggered using many of the _winreg functions, such as QueryValue, QueryValueEx, EnumValue, etc.

0:000> r eax=41414140 ebx=0027fbc8 ecx=00000000 edx=00000000 esi=770e351e edi=00000000 eip=74bf9af3 esp=0027f738 ebp=0027f764 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 RPCRT4!NDRCContextBinding+0x13: 74bf9af3 81780498badcfe cmp dword ptr [eax+4],0FEDCBA98h ds:002b:41414144=???????? 0:000> k ChildEBP RetAddr
0027f764 74c0390c RPCRT4!NDRCContextBinding+0x13 0027f774 74c86dce RPCRT4!ExplicitBindHandleMgr+0x33 0027fba8 770e625c RPCRT4!NdrClientCall2+0x2ea 0027fbc0 771041e2 ADVAPI32!SafeBaseRegQueryInfoKey+0x24 0027fc04 76eacdca ADVAPI32!RemoteRegQueryInfoKeyWrapper+0x42 0027fcbc 1e0de85c KERNELBASE!LocalOpenPerformanceText+0x1c60 0027fd14 1e0ac6fc python27!PyEnumValue+0x6c [c:\build27\cpython\pc_winreg.c @ 1213] 0027fd58 1e0efabf python27!_PyObject_GenericGetAttrWithDict+0x12c [c:\build27\cpython\objects\object.c @ 1428] 0027fde8 1e0f27eb python27!PyEval_EvalFrameEx+0x1cdf [c:\build27\cpython\python\ceval.c @ 2269] 0027fe00 1e0f11b2 python27!compiler_free+0x3b [c:\build27\cpython\python\compile.c @ 322] 0027fe2c 1e11707a python27!PyEval_EvalCode+0x22 [c:\build27\cpython\python\ceval.c @ 672] 0027fe44 1e1181c5 python27!run_mod+0x2a [c:\build27\cpython\python\pythonrun.c @ 1371] 0027fe64 1e118760 python27!PyRun_FileExFlags+0x75 [c:\build27\cpython\python\pythonrun.c @ 1358] 0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190 [c:\build27\cpython\python\pythonrun.c @ 950] 0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59 [c:\build27\cpython\python\pythonrun.c @ 753] 0027ff3c 1d00116d python27!Py_Main+0x965 [c:\build27\cpython\modules\main.c @ 643] 0027ff80 74d57c04 python!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586] 0027ff94 7741ad1f KERNEL32!BaseThreadInitThunk+0x24 0027ffdc 7741acea ntdll!__RtlUserThreadStart+0x2f 0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> !analyze -v

•                                                                         *

•                    Exception Analysis                                   *

•                                                                         *

FAULTING_IP: RPCRT4!NDRCContextBinding+13 74bf9af3 81780498badcfe cmp dword ptr [eax+4],0FEDCBA98h

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 74bf9af3 (RPCRT4!NDRCContextBinding+0x00000013) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 41414144 Attempt to read from address 41414144

CONTEXT: 00000000 -- (.cxr 0x0;r) eax=41414140 ebx=0027fbc8 ecx=00000000 edx=00000000 esi=770e351e edi=00000000 eip=74bf9af3 esp=0027f738 ebp=0027f764 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 RPCRT4!NDRCContextBinding+0x13: 74bf9af3 81780498badcfe cmp dword ptr [eax+4],0FEDCBA98h ds:002b:41414144=????????

FAULTING_THREAD: 00000274

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: python.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 41414144

READ_ADDRESS: 41414144

FOLLOWUP_IP: python27!PyEnumValue+6c [c:\build27\cpython\pc_winreg.c @ 1213] 1e0de85c 85c0 test eax,eax

NTGLOBALFLAG: 70

APPLICATION_VERIFIER_FLAGS: 0

APP: python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER: from 74c0390c to 74bf9af3

STACK_TEXT:
0027f764 74c0390c 41414140 770bfc78 0027fba8 RPCRT4!NDRCContextBinding+0x13 0027f774 74c86dce 770e351e 0027f8f8 40b1cbac RPCRT4!ExplicitBindHandleMgr+0x33 0027fba8 770e625c 770bfc78 770e3514 0027fbc8 RPCRT4!NdrClientCall2+0x2ea 0027fbc0 771041e2 41414140 0027fc44 0027fbfc ADVAPI32!SafeBaseRegQueryInfoKey+0x24 0027fc04 76eacdca 41414140 0027fc44 0027fc78 ADVAPI32!RemoteRegQueryInfoKeyWrapper+0x42 0027fcbc 1e0de85c 41414141 00000000 00000000 KERNELBASE!LocalOpenPerformanceText+0x1c60 0027fd14 1e0ac6fc 1e0aafd7 00000000 01d8e620 python27!PyEnumValue+0x6c 0027fd58 1e0efabf 1e0f017a 0027fdb4 01d06b18 python27!_PyObject_GenericGetAttrWithDict+0x12c 0027fde8 1e0f27eb 01e05238 003c196b 00000000 python27!PyEval_EvalFrameEx+0x1cdf 0027fe00 1e0f11b2 01d06b18 01d34030 01d0aa50 python27!compiler_free+0x3b 0027fe2c 1e11707a 01d06b18 01d0aa50 01d0aa50 python27!PyEval_EvalCode+0x22 0027fe44 1e1181c5 01dca848 01d0aa50 01d0aa50 python27!run_mod+0x2a 0027fe64 1e118760 72f27408 003c196b 00000101 python27!PyRun_FileExFlags+0x75 0027fea4 1e1190d9 72f27408 003c196b 00000001 python27!PyRun_SimpleFileExFlags+0x190 0027fec0 1e038d35 72f27408 003c196b 00000001 python27!PyRun_AnyFileExFlags+0x59 0027ff3c 1d00116d 00000002 003c1948 003c1cf0 python27!Py_Main+0x965 0027ff80 74d57c04 7ffde000 74d57be0 409574f3 python!__tmainCRTStartup+0x10f 0027ff94 7741ad1f 7ffde000 433d59cc 00000000 KERNEL32!BaseThreadInitThunk+0x24 0027ffdc 7741acea ffffffff 77400223 00000000 ntdll!__RtlUserThreadStart+0x2f 0027ffec 00000000 1d001314 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: .cxr 0x0 ; kb

FAULTING_SOURCE_LINE: c:\build27\cpython\pc_winreg.c

FAULTING_SOURCE_FILE: c:\build27\cpython\pc_winreg.c

FAULTING_SOURCE_LINE_NUMBER: 1213

FAULTING_SOURCE_CODE:
1209: 1210: if ((rc = RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL, 1211: NULL, 1212: &retValueSize, &retDataSize, NULL, NULL))

1213: != ERROR_SUCCESS) 1214: return PyErr_SetFromWindowsErrWithFunction(rc, 1215: "RegQueryInfoKey"); 1216: ++retValueSize; /* include null terminators */ 1217: ++retDataSize; 1218: bufDataSize = retDataSize;

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: python27!PyEnumValue+6c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: python27

IMAGE_NAME: python27.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 5488ac17

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_python27.dll!PyEnumValue

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_python27!PyEnumValue+6c

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_python27.dll!pyenumvalue

FAILURE_ID_HASH: {b72db5fa-dbfd-ad6f-cf69-1ef0b8d49eed}

Followup: MachineOwner