2 tiny bugs in sqlmap

I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.

sqlmap/extra/icmpsh/icmpsh-s.c

int main(int argc, char **argv)
{

...
        unsigned int max_data_size;
...
        // parse command line options
        for (opt = 1; opt < argc; opt++) {
                if (argv[opt][0] == '-') {
                        switch(argv[opt][1]) {
...
                                case 's':
                                        if (opt + 1 < argc) {
                                                max_data_size = atol(argv[opt + 1]);
                                        }
                                        break;

...
        in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
        out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
        if (!in_buf || !out_buf) {
                printf("failed to allocate memory for transfer buffers\n");
                return -1;
        }
        memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
        memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
...
                                                rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL);
+++ mem corruption

So the above has a simple integer overflow. It looks to be dead code, or at least not compiled by default.

sqlmap/extra/beep/beep.py

def _linux_wav_play(filename):
    for _ in ("aplay", "paplay", "play"):
        if not os.system("%s '%s' 2>/dev/null" % (_, filename)):
            return
+++ command injection with filename


This bug is a simple command injection bug in Python. It doesn't look to be remotely triggerable.

I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

Memory Bugs in Multiple Linux Kernel Drivers using DebugFS