CVE-2004-0150 in Python
Summary
by MITRE
Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/29/2021
The vulnerability identified as CVE-2004-0150 represents a critical buffer overflow flaw in Python's getaddrinfo function that emerged in Python 2.2 versions prior to 2.2.2. This security weakness specifically manifests when IPv6 support is disabled within the Python environment, creating a dangerous condition that remote attackers can exploit to execute arbitrary code. The vulnerability stems from improper input validation and memory management within the network address resolution functionality that Python employs when processing DNS lookups for IPv6 addresses.
The technical flaw occurs within the getaddrinfo function which is responsible for translating hostnames into network addresses. When IPv6 support is disabled, the function fails to properly handle IPv6 address data obtained through DNS queries, leading to a buffer overflow condition. This overflow allows attackers to overwrite adjacent memory locations with malicious data, potentially enabling code execution with the privileges of the affected Python process. The vulnerability is particularly concerning because it operates at the network resolution layer, making it accessible through standard DNS-based attacks without requiring special local privileges.
The operational impact of this vulnerability extends beyond simple code execution to potentially compromise entire systems running vulnerable Python versions. Remote attackers can leverage this flaw by crafting malicious DNS responses that contain oversized IPv6 address data, causing the buffer overflow when Python attempts to process these addresses. This attack vector affects any system where Python applications perform network lookups and where IPv6 support has been explicitly disabled, making it particularly dangerous in environments where Python is used for network services or applications that handle external DNS input. The vulnerability essentially provides a pathway for remote code execution that bypasses many traditional security boundaries.
The flaw aligns with CWE-121, which describes heap-based buffer overflow conditions, and demonstrates how improper memory management in network resolution functions can create severe security implications. From an ATT&CK framework perspective, this vulnerability maps to T1059.006 for remote code execution and T1071.004 for application layer protocol usage, specifically targeting DNS protocol interactions. Organizations should prioritize immediate patching of Python installations to version 2.2.2 or later, where the buffer overflow handling has been corrected. Additionally, system administrators should consider implementing network-level protections such as DNS filtering and monitoring for unusual DNS query patterns, while also ensuring that IPv6 support is properly configured according to organizational security policies rather than being disabled unnecessarily.