[Python-Dev] FWD: Python execvpe symlink race condition.
Aahz
aahz@pythoncraft.com
Sat, 15 Feb 2003 23:43:19 -0500
Not sure what to do about this, but I don't have the time to check into
it.
----- Forwarded message from Access-=-Denied support <info@ad2u.gr> -----
> Forwarded-By: aahz@pythoncraft.com
> Reply-To: info@ad2u.gr
> To: webmaster@python.org
> Subject: Python execvpe symlink race condition.
> From: Access-=-Denied support <info@ad2u.gr>
> Organization: Access-=-Denied
> Date: Sun, 16 Feb 2003 03:33:38 -0000
>
>
> Dear webmaster,
>
>
> The proof of concept code will be published in a few days. That will leave
> you plenty of time
> to deal with the bug.
>
>
>
> Looking forward to hearing from you,
>
> Access-=-Denied support
>
>
>
> START OF ADVISORY
> -----------------
>
> AD2U Security Advisory -- 15/02/2003
>
> Python 2.2.x execvpe Symlink Race Condition
>
> Summary
> --------
>
> A Symlink race condition exists in all version of Python programming
> language. Probably any posix system running python is vulnerable.
>
> #### IMPORTANT ####
> This vulnerability is not closely related to the recent execvpe
> vulnerability, but the idea is derived from there.
>
>
>
> Description
> ----------------
>
> The vulnerability can be observed in two library files that come with
> python.
>
> tempfile.py at def mktemp(suffix=""):
> *************************************
> while 1:
> i = _counter.get_next()
> file = os.path.join(dir, pre + str(i) + suffix)
> if not os.path.exists(file):
> return file
>
>
> os.py at def _execvpe(file, args, env=None):
> ********************************************
> import tempfile
> t = tempfile.mktemp()
> # Exec a file that is guaranteed not to exist
> try: execv(t, ('blah',))
> except error, _notfound: pass
>
> It is possible, to create a link of the file to be executed (t) in the
> limited time window between the statements
> os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in os.py are
> executed.
>
>
> IMPACT
> ------
>
> Python is not running suid on most platforms, so to gain root privileges is
> a little hard. However, you can attack scripts that use execvpe function
> and you will gain the privileges of the
> user running the script.
>
>
> PATCH
> -----
>
> The vulnerability of the tempfile.mktemp()
> function is known, and python have "declared" mktemp() deprecated.
> Af far it concerns the execvpe function, because it uses mktemp() function
> it is vulnerable to this attack.
>
> Vendor has been notified.
>
>
> Exploit
> -------
>
> There is exploit code available for this bug and will be published soon.
>
> A simple run of the epxloit is demonstrated below:
>
> root@prezaki:~# ./python.sh
> Python 2.2.x Symlink Race Condition exploit
> Access-=-Denied Networks (c) mzozd@ad2u.gr, 2003
> This is a proof of concept code!!! For educational purposes only
> Creating suidshell script
> Building python file...
> Be patient, it will take a few moments
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> You got your suidshell...
> -rwsr-xr-x 1 root root 532960 Feb 15 02:42 /tmp/.sh
> Cleaning environment
>
> root@prezaki:~#
>
>
> DISCLAIMER
> ----------
>
> The author(s) does(do) not have any responsibility for any malicious
> use of this advisory or proof of concept code. The code and the
> information provided here are for educational purposes only.
> The author(s) will NOT be held responsible for any direct or indirect
> damages caused by the information or the code
> provided here. This advisory is OPEN for public distribution
> EXCEPT for Symantec Corporation, Security Focus, Bugtraq or
> any other company affiliated with Symantec. Articles that are
> based on the information posted here SHOULD include a link
> to this advisory or clearly refer the SOURCE.
> This disclaimer is not to be modified by any means and must
> be included 'as-is' in other documents. The material provided
> here, in any form, is copyright property of Access-=-Denied Networks.
>
>
> Acknowledgements
> ----------------
>
> Discovery and proof of concept code by MzOzD
> Email at mzozd@ad2u.gr
>
>
> REFERENCES
> ----------
>
> RHSA-2002:202-33.txt ADVISORY
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156556
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119
----- End forwarded message -----
--
Aahz (aahz@pythoncraft.com) <*> http://www.pythoncraft.com/
Register for PyCon now! http://www.python.org/pycon/reg.html