Insufficient input sanitization leads to arbitrary code execution

Bug #210098 reported by Anders Kaseorg
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Malbolge Survival Kit
Fix Released
Undecided
Unassigned
malbolge (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: malbolge

The Malbolge 0.1.1 interpreter fails to sufficiently sanitize its input source. In particular, it fails to throw an error when it detects a non-ASCII character in the source, contrary to the language specification:

“When the interpreter tries to execute a program, it first checks to see if the current instruction is a graphical ASCII character (33 through 126). … If the original character is not graphic ASCII, the program is immediately ended.”

As discovered by Lou Scheffer, this vulnerability makes it possible for an attacker to circumvent Malbolge’s encryption and write useful programs. Sample exploit code is given at <http://www.lscheffer.com/malbolge.shtml>. A patch is attached.

Revision history for this message
Anders Kaseorg (andersk) wrote :
Revision history for this message
Toni Ruottu (toni-ruottu) wrote :

It all depends on whether or not the specification or
reference implementation is deemed correct.

Scheffer writes:

 "One could argue this is simply a bug in the interpreter,
  but taking advantage of a bug in the interpreter seems
  very much in character (so to speak)."

Changed in msk:
status: New → Confirmed
Changed in malbolge:
status: New → Confirmed
Revision history for this message
Toni Ruottu (toni-ruottu) wrote :

MSK version 0.2 ships with a new interpreter written in Python. The new interpreter validates input by default. A user may skip input validation with "--relaxed" command line option. Mbs (malbolge script) authors may request relaxed (read skipped) input validation for their scripts by defining the "--relaxed" option in their script headers (see new copy.mbs for an example).

Changed in msk:
status: Confirmed → Fix Committed
status: Fix Committed → Fix Released
Revision history for this message
Anders Kaseorg (andersk) wrote :

This bug was fixed in the package malbolge - 0.2-0ubuntu1

---------------
malbolge (0.2-0ubuntu1) jaunty; urgency=low

  [ Toni Ruottu ]
  * New upstream version (LP #251311).
  * debian/control: Updated Standards-Version to 3.8.0
  * debian/control: Added Build-Depends-Indep: python-support
  * debian/control: Changed Architecture to all (as intrepreter is now
    written in python)
  * debian/control: Changed description
  * debian/copyright: Small changes (authors job status)
  * debian/rules: added build to .PHONY
  * debian/rules: changed build and clean rules to affect the change of
    architecture (using binary-indep now)

  [ Arnaud Soyez ]
  * Changed debian/changelog release to Jaunty

 -- Arnaud Soyez <email address hidden> Tue, 11 Nov 2008 09:32:57 -0500

Changed in malbolge:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.