Malbolge Survival Kit

Insufficient input sanitization leads to arbitrary code execution

Bug #210098 reported by Anders Kaseorg on 2008-04-01

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Malbolge Survival Kit	Fix Released	Undecided	Unassigned
	malbolge (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: malbolge

The Malbolge 0.1.1 interpreter fails to sufficiently sanitize its input source. In particular, it fails to throw an error when it detects a non-ASCII character in the source, contrary to the language specification:

“When the interpreter tries to execute a program, it first checks to see if the current instruction is a graphical ASCII character (33 through 126). … If the original character is not graphic ASCII, the program is immediately ended.”

As discovered by Lou Scheffer, this vulnerability makes it possible for an attacker to circumvent Malbolge’s encryption and write useful programs. Sample exploit code is given at <http://www.lscheffer.com/malbolge.shtml>. A patch is attached.

Revision history for this message

Anders Kaseorg (andersk) wrote on 2008-04-01:

malbolge-0.1.1-input-sanitization.patch Edit (803 bytes, text/plain)

Revision history for this message

Toni Ruottu (toni-ruottu) wrote on 2008-04-01:

It all depends on whether or not the specification or
reference implementation is deemed correct.

Scheffer writes:

"One could argue this is simply a bug in the interpreter,
but taking advantage of a bug in the interpreter seems
very much in character (so to speak)."

Toni Ruottu (toni-ruottu) on 2008-04-01

Changed in msk:
status:	New → Confirmed
Changed in malbolge:
status:	New → Confirmed

Revision history for this message

Toni Ruottu (toni-ruottu) wrote on 2008-05-20:

MSK version 0.2 ships with a new interpreter written in Python. The new interpreter validates input by default. A user may skip input validation with "--relaxed" command line option. Mbs (malbolge script) authors may request relaxed (read skipped) input validation for their scripts by defining the "--relaxed" option in their script headers (see new copy.mbs for an example).

Toni Ruottu (toni-ruottu) on 2008-07-04

Changed in msk:
status:	Confirmed → Fix Committed
status:	Fix Committed → Fix Released

Revision history for this message

Anders Kaseorg (andersk) wrote on 2009-01-21:

This bug was fixed in the package malbolge - 0.2-0ubuntu1

---------------
malbolge (0.2-0ubuntu1) jaunty; urgency=low

  [ Toni Ruottu ]
  * New upstream version (LP #251311).
  * debian/control: Updated Standards-Version to 3.8.0
  * debian/control: Added Build-Depends-Indep: python-support
  * debian/control: Changed Architecture to all (as intrepreter is now
    written in python)
  * debian/control: Changed description
  * debian/copyright: Small changes (authors job status)
  * debian/rules: added build to .PHONY
  * debian/rules: changed build and clean rules to affect the change of
    architecture (using binary-indep now)

[ Arnaud Soyez ]
* Changed debian/changelog release to Jaunty

-- Arnaud Soyez <email address hidden> Tue, 11 Nov 2008 09:32:57 -0500

Changed in malbolge:
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

malbolge-0.1.1-input-sanitization.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.