[Python-Dev] FWD: Python execvpe symlink race condition. (original) (raw)

Aahz aahz@pythoncraft.com
Sat, 15 Feb 2003 23:43:19 -0500

Not sure what to do about this, but I don't have the time to check into it.

----- Forwarded message from Access-=-Denied support <info@ad2u.gr> -----

Forwarded-By: aahz@pythoncraft.com Reply-To: info@ad2u.gr To: webmaster@python.org Subject: Python execvpe symlink race condition. From: Access-=-Denied support <info@ad2u.gr> Organization: Access-=-Denied Date: Sun, 16 Feb 2003 03:33:38 -0000

Dear webmaster, The proof of concept code will be published in a few days. That will leave you plenty of time to deal with the bug.

Looking forward to hearing from you, Access-=-Denied support START OF ADVISORY ----------------- AD2U Security Advisory -- 15/02/2003 Python 2.2.x execvpe Symlink Race Condition Summary -------- A Symlink race condition exists in all version of Python programming language. Probably any posix system running python is vulnerable. #### IMPORTANT #### This vulnerability is not closely related to the recent execvpe vulnerability, but the idea is derived from there. Description ---------------- The vulnerability can be observed in two library files that come with python. tempfile.py at def mktemp(suffix=""): ************************************* while 1: i = counter.getnext() file = os.path.join(dir, pre + str(i) + suffix) if not os.path.exists(file): return file os.py at def execvpe(file, args, env=None): ******************************************** import tempfile t = tempfile.mktemp() # Exec a file that is guaranteed not to exist try: execv(t, ('blah',)) except error, notfound: pass It is possible, to create a link of the file to be executed (t) in the limited time window between the statements os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in os.py are executed. IMPACT ------ Python is not running suid on most platforms, so to gain root privileges is a little hard. However, you can attack scripts that use execvpe function and you will gain the privileges of the user running the script. PATCH ----- The vulnerability of the tempfile.mktemp() function is known, and python have "declared" mktemp() deprecated. Af far it concerns the execvpe function, because it uses mktemp() function it is vulnerable to this attack. Vendor has been notified. Exploit ------- There is exploit code available for this bug and will be published soon. A simple run of the epxloit is demonstrated below: root@prezaki:~# ./python.sh Python 2.2.x Symlink Race Condition exploit Access-=-Denied Networks (c) mzozd@ad2u.gr, 2003 This is a proof of concept code!!! For educational purposes only Creating suidshell script Building python file... Be patient, it will take a few moments ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... ...................................................................... You got your suidshell... -rwsr-xr-x 1 root root 532960 Feb 15 02:42 /tmp/.sh Cleaning environment root@prezaki:~# DISCLAIMER ---------- The author(s) does(do) not have any responsibility for any malicious use of this advisory or proof of concept code. The code and the information provided here are for educational purposes only. The author(s) will NOT be held responsible for any direct or indirect damages caused by the information or the code provided here. This advisory is OPEN for public distribution EXCEPT for Symantec Corporation, Security Focus, Bugtraq or any other company affiliated with Symantec. Articles that are based on the information posted here SHOULD include a link to this advisory or clearly refer the SOURCE. This disclaimer is not to be modified by any means and must be included 'as-is' in other documents. The material provided here, in any form, is copyright property of Access-=-Denied Networks. Acknowledgements ---------------- Discovery and proof of concept code by MzOzD Email at mzozd@ad2u.gr REFERENCES ---------- RHSA-2002:202-33.txt ADVISORY http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=156556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1119

----- End forwarded message -----

-- Aahz (aahz@pythoncraft.com) <*> http://www.pythoncraft.com/

Register for PyCon now! http://www.python.org/pycon/reg.html