2 tiny bugs in sqlmap
I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.
So the above has a simple integer overflow. It looks to be dead code, or at least not compiled by default.
This bug is a simple command injection bug in Python. It doesn't look to be remotely triggerable.
I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..
sqlmap/extra/icmpsh/icmpsh-s.c
int main(int argc, char **argv)
{
...
unsigned int max_data_size;
...
// parse command line options
for (opt = 1; opt < argc; opt++) {
if (argv[opt][0] == '-') {
switch(argv[opt][1]) {
...
case 's':
if (opt + 1 < argc) {
max_data_size = atol(argv[opt + 1]);
}
break;
...
in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
if (!in_buf || !out_buf) {
printf("failed to allocate memory for transfer buffers\n");
return -1;
}
memset(in_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
memset(out_buf, 0x00, max_data_size + ICMP_HEADERS_SIZE);
+++ integer overflows
...
rs = ReadFile(pipe_read, out_buf, max_data_size, &out_buf_size, NULL);
+++ mem corruption
sqlmap/extra/beep/beep.py
def _linux_wav_play(filename):
for _ in ("aplay", "paplay", "play"):
if not os.system("%s '%s' 2>/dev/null" % (_, filename)):
return
+++ command injection with filename
I didn't spend much time auditing. If there are 2 quick to find bugs, there might be more..