CVE-2021-3177 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Severity

98%

Complexity

39%

Confidentiality

98%

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

CVSS 3.1 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.


               
scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.


               
}
...

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and blindly copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

The excerpt below calls the gets() function in C, which is inherently unsafe.


               
}
...

However, the programmer uses the function gets() which is inherently unsafe because it blindly copies all input from STDIN to the buffer without restricting how much is copied. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.


               
...
close(serversocket);
}
close(clientsocket);

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.

Overview

First reported 4 years ago

2021-01-19 06:15:00

Last updated 3 years ago

2021-10-20 11:17:00

Affected Software

Python

Fedora 32

32

NetApp ONTAP Select Deploy Administration Utility

References

https://bugs.python.org/issue42938

https://github.com/python/cpython/pull/24239

https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html

FEDORA-2021-faf88b9499

FEDORA-2021-cc3ff94cfc

GLSA-202101-18

https://bugs.python.org/issue42938

Exploit, Patch, Vendor Advisory

https://github.com/python/cpython/pull/24239

Patch, Third Party Advisory

FEDORA-2021-faf88b9499

Mailing List, Third Party Advisory

FEDORA-2021-cc3ff94cfc

Mailing List, Third Party Advisory

FEDORA-2021-e3a5a74610

https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html

Patch, Third Party Advisory

GLSA-202101-18

Third Party Advisory

FEDORA-2021-42ba9feb47

FEDORA-2021-ced31f3f0c

FEDORA-2021-42ba9feb47

Third Party Advisory

FEDORA-2021-ced31f3f0c

Third Party Advisory

FEDORA-2021-faf88b9499

Third Party Advisory

FEDORA-2021-cc3ff94cfc

Third Party Advisory

FEDORA-2021-e3a5a74610

Third Party Advisory

FEDORA-2021-851c6e4e2d

FEDORA-2021-076a2dccba

FEDORA-2021-42ba9feb47

Mailing List, Third Party Advisory

FEDORA-2021-ced31f3f0c

Mailing List, Third Party Advisory

FEDORA-2021-076a2dccba

Mailing List, Third Party Advisory

FEDORA-2021-851c6e4e2d

Mailing List, Third Party Advisory

FEDORA-2021-17668e344a

Third Party Advisory

FEDORA-2021-66547ff92d

Third Party Advisory

FEDORA-2021-e3a5a74610

Mailing List, Third Party Advisory

FEDORA-2021-d5cde50865

FEDORA-2021-7547ad987f

FEDORA-2021-f4fd9372c7

https://news.ycombinator.com/item?id=26185005

FEDORA-2021-3352c1c802

[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

FEDORA-2021-907f3bacae

FEDORA-2021-d5cde50865

Third Party Advisory

FEDORA-2021-7547ad987f

Mailing List, Third Party Advisory

FEDORA-2021-3352c1c802

Mailing List, Third Party Advisory

FEDORA-2021-f4fd9372c7

Mailing List, Third Party Advisory

FEDORA-2021-076a2dccba

Third Party Advisory

FEDORA-2021-851c6e4e2d

Third Party Advisory

https://news.ycombinator.com/item?id=26185005

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210226-0003/

https://bugs.python.org/issue42938

Exploit, Issue Tracking, Patch, Vendor Advisory

[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

Mailing List, Third Party Advisory

FEDORA-2021-907f3bacae

Third Party Advisory

FEDORA-2021-7547ad987f

Third Party Advisory

FEDORA-2021-3352c1c802

Third Party Advisory

FEDORA-2021-f4fd9372c7

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210226-0003/

Third Party Advisory

[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update

N/A

https://www.oracle.com/security-alerts/cpuoct2021.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.