2 tiny bugs in sqlmap

I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.

sqlmap/extra/icmpsh/icmpsh-s.c

int main(int argc, char **argv)
{

...
        unsigned int max_data_size;
...
        // parse command line options
        for (opt = 1; opt < argc; opt++) {
                if (argv[opt][0] == '-') {
                        switch(argv[opt][1]) {
...
                                case 's':
                                        if (opt + 1 < argc) {
                                                max_data_size = atol(argv[opt + 1]);
                                        }
                                        break;

...
        in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
        out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
        if (!in_buf || !out_buf) {
                printf("failed to allocate memory for transfer buffers\n");
                return -1;
        }
        memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
        memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
...
                                                rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL);
+++ mem corruption

So the above has a simple integer overflow. It looks to be dead code, or at least not compiled by default.

sqlmap/extra/beep/beep.py

def _linux_wav_play(filename):
    for _ in ("aplay", "paplay", "play"):
        if not os.system("%s '%s' 2>/dev/null" % (_, filename)):
            return
+++ command injection with filename


This bug is a simple command injection bug in Python. It doesn't look to be remotely triggerable.

I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)