2 tiny bugs in sqlmap

I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.


int main(int argc, char **argv)

        unsigned int max_data_size;
        // parse command line options
        for (opt = 1; opt < argc; opt++) {
                if (argv[opt][0] == '-') {
                        switch(argv[opt][1]) {
                                case 's':
                                        if (opt + 1 < argc) {
                                                max_data_size = atol(argv[opt + 1]);

        in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
        out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
        if (!in_buf || !out_buf) {
                printf("failed to allocate memory for transfer buffers\n");
                return -1;
        memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
        memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
                                                rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL);
+++ mem corruption

So the above has a simple integer overflow. It looks to be dead code, or at least not compiled by default.


def _linux_wav_play(filename):
    for _ in ("aplay", "paplay", "play"):
        if not os.system("%s '%s' 2>/dev/null" % (_, filename)):
+++ command injection with filename

This bug is a simple command injection bug in Python. It doesn't look to be remotely triggerable.

I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

Memory Bugs in Multiple Linux Kernel Drivers using DebugFS