CVE-2023-45283: Filepath Package Vulnerability in Windows Root Local Device Paths

Summary: A vulnerability has been discovered in the filepath package which allows access to arbitrary locations on the system by not recognizing paths with a \??\ prefix as special. This post will provide a detailed analysis of the issue, including code snippets, links to original references, and exploit details.

Introduction

The filepath package in Go has a vulnerability (CVE-2023-45283) that affects the handling of Windows root local device paths. In particular, the package does not recognize paths with a "\\??\\" prefix, which can be exploited to access arbitrary locations on the system. This post aims to provide in-depth details and analysis of this issue.

Vulnerability Details

On Windows, paths that start with a "\\?\\" prefix are treated as root local device paths, and are equivalent to those beginning with "\\\\?\\". However, the filepath package fails to identify "\\??\\" prefixed paths as special, allowing malicious users to exploit this and access arbitrary system locations.

For example, consider the path "\\??\\c:\\x", which is equivalent to "c:\\x". Prior to the patch, the filepath.Clean function incorrectly converted rooted paths like "\\a\\\\..\??\\b" into the root local device path "\\??\\b". After the patch, filepath.Clean now converts this to ".\\??\\b" instead.

Similarly, filepath.Join("\\", "??", "b") would incorrectly convert a seemingly innocent path into "\\??\\b", a root local device path. The patched version now converts this to "\\.\??\\b".

Moreover, with the patch, filepath.IsAbs now correctly reports paths beginning with "\\??\\" as absolute, and filepath.VolumeName now correctly reports the "\\??\\" prefix as a volume name.

Here's a code snippet demonstrating the vulnerability

package main

import (
	"fmt"
	"path/filepath"
)

func main() {
	oldPath := "\\a\\..\\??\\b"
	cleanedPath := filepath.Clean(oldPath)

	fmt.Printf("Before Patch: %s\n", cleanedPath)

	// After applying the patch
	// cleanedPath should be ".\\??\\b"
}

Exploit Details

An attacker could use this vulnerability to access sensitive files and directories in the system by using a crafted path string.

For example, if an application uses filepath.Clean or filepath.Join to manipulate paths, an attacker could craft a path like "\\a\\\\..\\??\\Windows\\System32", potentially giving them access to critical system files.

References

- Go Issue 958079: https://golang.org/issue/958079
- Go Issue 308555: https://golang.org/issue/308555
- Go Release Notes 1.20.11 & 1.21.4: https://golang.org/doc/devel/release.html#go1.20.minor

Conclusion

The filepath package vulnerability (CVE-2023-45283) in handling Windows root local device paths has been patched in Go 1.20.11 and Go 1.21.4. We recommend updating to the latest version, as this issue can result in unauthorized access to arbitrary system locations.

Timeline

Published on: 11/09/2023 17:15:08 UTC
Last modified on: 12/14/2023 10:15:07 UTC