A vulnerability has been discovered in Python 3.11 through 3.11.4, which could allow an attacker to bypass security measures that were functional in Python 3.10.x or earlier. The issue pertains to the os.path.normpath() function, which, when given a path containing '\' bytes, truncates the path unexpectedly at the first '\' byte. This vulnerability has been assigned the CVE ID CVE-2023-41105.

Details

The issue lies in the os.path.normpath() function's handling of paths with null ('\') bytes. In Python 3.10.x or earlier, a path with null bytes would be rejected due to security reasons, as null bytes are often used for path traversal attacks. However, in Python 3.11.x, the normpath() function processes paths with null bytes, causing the path to be truncated at the first null byte unexpectedly.

Here's a code snippet demonstrating the vulnerability

import os

# Unsafe path with null byte
unsafe_path = "example_directory\/../sensitive_file.txt"

# Expected output: "example_directory/../sensitive_file.txt"
# Python 3.11.x output: "example_directory"
normalized_path = os.path.normpath(unsafe_path)

print(normalized_path)

Exploit

An attacker can craft a path containing null bytes to exploit this vulnerability, which might allow them to gain unauthorized access to sensitive files or directories that would have otherwise been rejected in Python 3.10.x or earlier.

Consider the following scenario: An application uses normpath() to normalize and remove any path traversal elements in a user-provided path before accessing a file. If an attacker crafts a path containing null bytes, the application might end up accessing a file or directory different from the intended one due to the unexpected truncation. This could lead to unauthorized file system access, information disclosure, or other security issues.

1. Python Issue Tracker: https://bugs.python.org/issue44105
2. Python Developers Mailing List: https://mail.python.org/archives/list/python-dev@python.org/thread/WDGHS5K7YMRI6L7PWY6KQBU5E42VL5KQ/

Mitigations

To mitigate this vulnerability, developers should validate user-provided paths and reject any paths containing null bytes before passing them to the os.path.normpath() function. Additionally, developers can use the latest Python release containing a fix for the issue, when available.

Conclusion

CVE-2023-41105 is a potentially severe vulnerability in Python 3.11.x that could lead to security bypass and unauthorized access in applications that utilize the os.path.normpath() function. To mitigate this risk, developers should validate user-provided paths and update their Python installations once a fix is released. Always follow best practices for safe coding and keep up-to-date with the latest security advisories for your software dependencies.

Timeline

Published on: 08/23/2023 07:15:00 UTC
Last modified on: 09/01/2023 13:37:00 UTC