2 tiny bugs in sqlmap

I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.

sqlmap/extra/icmpsh/icmpsh-s.c

int main(int argc, char **argv)

{

...

        unsigned int max_data_size;

...

        // parse command line options

        for (opt = 1; opt < argc; opt++) {

                if (argv[opt][0] == '-') {

                        switch(argv[opt][1]) {

...

                                case 's':

                                        if (opt + 1 < argc) {

                                                max_data_size = atol(argv[opt + 1]);

                                        }

                                        break;

...

        in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);

        out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);

+++ integer overflows

        if (!in_buf || !out_buf) {

                printf("failed to allocate memory for transfer buffers\n");

                return -1;

        }

        memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);

        memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);

+++ integer overflows

...

                                                rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL);

+++ mem corruption

So the above has a simple integer overflow. It looks to be dead code, or at least not compiled by default.

sqlmap/extra/beep/beep.py

def _linux_wav_play(filename):

    for _ in ("aplay", "paplay", "play"):

        if not os.system("%s '%s' 2>/dev/null" % (_, filename)):

            return

+++ command injection with filename

This bug is a simple command injection bug in Python. It doesn't look to be remotely triggerable.

I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..