RVD#1412: Integer overflow in the get_data function, zipimport.c in Python 2.7

[vmayoral]

{
    "id": 1412,
    "title": "RVD#1412: Integer overflow in the get_data function, zipimport.c in Python 2.7",
    "type": "vulnerabitity",
    "description": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.",
    "cwe": "CWE-190",
    "cve": "CVE-2016-5636",
    "keywords": [
        "Python"
    ],
    "system": "URx",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 10.0,
        "rvss-vector": "RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:M/S:U/C:H/I:H/A:H/H:U",
        "severity-description": "critical",
        "cvss-score": 9.8,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "links": [
        "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636",
        "http://rhn.redhat.com/errata/RHSA-2016-2586.html",
        "http://www.openwall.com/lists/oss-security/2016/06/15/15",
        "http://www.openwall.com/lists/oss-security/2016/06/16/1",
        "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html",
        "http://www.securityfocus.com/bid/91247",
        "http://www.securitytracker.com/id/1038138",
        "http://www.splunk.com/view/SP-CAAAPSV",
        "http://www.splunk.com/view/SP-CAAAPUE",
        "https://bugs.python.org/issue26171\tIssue Tracking Patch",
        "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5",
        "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2",
        "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS",
        "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html",
        "https://security.gentoo.org/glsa/201701-18",
        "https://bugs.python.org/issue26171",
        "https://github.com/mudongliang/LinuxFlaw/tree/master/CVE-2016-5636",
        "https://github.com/aliasrobotics/RVD/issues/1412"
    ],
    "flaw": {
        "phase": "explotation",
        "specificity": "general issue",
        "architectural-location": "platform code",
        "application": "Industrial robot manipulation",
        "subsystem": "manipulation:actuation",
        "package": "python2.7-minimal 2.7.3-6+deb7u2 i386",
        "languages": "C",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)",
        "detected-by-method": "N/A",
        "date-reported": "2020-03-31",
        "reported-by": "V\u00edctor Mayoral Vilches <victor@aliasrobotics.com>",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1412",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "https://asciinema.org/a/n6jV3a1MHcmEP0tAxPqR5n3Y2",
        "reproduction-image": "N/A"
    },
    "exploitation": {
        "description": "Heap overflow. Root cause is described at https://github.com/mudongliang/LinuxFlaw/tree/master/CVE-2016-5636#root-cause. Particularly, within zipimport.c, if compress != 0, then bytes_size = data_size + 1 data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0. In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.",
        "exploitation-image": "Not available",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "sudo apt-get --assume-yes install --only-upgrade python2.7-minimal",
        "pull-request": "See Python issue tracker https://bugs.python.org/issue26171",
        "date-mitigation": null
    }
}

[vmayoral]

Recorded a video (https://asciinema.org/a/n6jV3a1MHcmEP0tAxPqR5n3Y2) showing how it affects firmware versions 1.12.1, 1.12, 1.11 and 1.10. Further exploitation is feasible following up with the overflow but didn't follow up for the sake of time.