[Python-Dev] FWD: Python execvpe symlink race condition.

Aahz aahz@pythoncraft.com
Sat, 15 Feb 2003 23:43:19 -0500 

Not sure what to do about this, but I don't have the time to check into
it.

----- Forwarded message from Access-=-Denied support <info@ad2u.gr> -----
> Forwarded-By: aahz@pythoncraft.com
> Reply-To: info@ad2u.gr
> To: webmaster@python.org
> Subject: Python execvpe symlink race condition.
> From: Access-=-Denied support <info@ad2u.gr>
> Organization: Access-=-Denied
> Date: Sun, 16 Feb 2003 03:33:38 -0000
> 
> 
> Dear webmaster,
> 
> 
> The proof of concept code will be published in a few days. That will leave 
> you plenty of time
> to deal with the bug.
> 
> 
> 
> Looking forward to hearing from you,
> 
> Access-=-Denied support
> 
> 
> 
> START OF ADVISORY
> -----------------
> 
> AD2U Security Advisory -- 15/02/2003
> 
> Python 2.2.x execvpe Symlink Race Condition
> 
> Summary
> --------
> 
> A Symlink race condition exists in all version of Python programming 
> language. Probably any posix system running python is vulnerable.
> 
> #### IMPORTANT ####
> This vulnerability is not closely related to the recent execvpe 
> vulnerability, but the idea is derived from there.
> 
> 
> 
> Description
> ----------------
> 
> The vulnerability can be observed in two library files that come with 
> python.
> 
> tempfile.py at def mktemp(suffix=""):
> *************************************
>    while 1:
>        i = _counter.get_next()
>        file = os.path.join(dir, pre + str(i) + suffix)
>        if not os.path.exists(file):
>            return file
> 
> 
> os.py at def _execvpe(file, args, env=None):
> ********************************************
>            import tempfile
>            t = tempfile.mktemp()
>            # Exec a file that is guaranteed not to exist
>            try: execv(t, ('blah',))
>            except error, _notfound: pass
> 
> It is possible, to create a link of the file to be executed (t) in the 
> limited time window between the statements
> os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in os.py are 
> executed.
> 
> 
> IMPACT
> ------
> 
> Python is not running suid on most platforms, so to gain root privileges is 
> a little hard. However, you can attack scripts that use execvpe function 
> and you will gain the privileges of the
> user running the script.
> 
> 
> PATCH
> -----
> 
> The vulnerability of the tempfile.mktemp()
> function is known, and python have "declared" mktemp() deprecated.
> Af far it concerns the execvpe function, because it uses mktemp() function 
> it is vulnerable to this attack.
> 
> Vendor has been notified.
> 
> 
> Exploit
> -------
> 
> There is exploit code available for this bug and will be published soon.
> 
> A simple run of the epxloit is demonstrated below:
> 
> root@prezaki:~# ./python.sh
> Python 2.2.x Symlink Race Condition exploit
> Access-=-Denied Networks (c) mzozd@ad2u.gr, 2003
> This is a proof of concept code!!! For educational purposes only
> Creating suidshell script
> Building python file...
> Be patient, it will take a few moments
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> ......................................................................
> You got your suidshell...
> -rwsr-xr-x    1 root     root       532960 Feb 15 02:42 /tmp/.sh
> Cleaning environment
> 
> root@prezaki:~#
> 
> 
> DISCLAIMER
> ----------
> 
> The author(s) does(do) not have any responsibility for any malicious
> use of this advisory or proof of concept code. The code and the
> information provided here are for educational purposes only.
> The author(s) will NOT be held responsible for any direct or indirect 
> damages caused by the information or the code
> provided here. This advisory is OPEN for public distribution
> EXCEPT for Symantec Corporation, Security Focus, Bugtraq or
> any other company affiliated with Symantec. Articles that are
> based on the information posted here SHOULD include a link
> to this advisory or clearly refer the SOURCE.
> This disclaimer is not to be modified by any means and must
> be included 'as-is' in other documents. The material provided
> here, in any form, is copyright property of Access-=-Denied Networks.
> 
> 
> Acknowledgements
> ----------------
> 
> Discovery and proof of concept code by MzOzD
> Email at mzozd@ad2u.gr
> 
> 
> REFERENCES
> ----------
> 
> RHSA-2002:202-33.txt ADVISORY
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156556
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119

----- End forwarded message -----

-- 
Aahz (aahz@pythoncraft.com)           <*>         http://www.pythoncraft.com/

Register for PyCon now!  http://www.python.org/pycon/reg.html