CVE-2023-6597 - `tempfile.TemporaryDirectory` Symlink Dereference Vulnerability in CPython

A new security vulnerability (CVE-2023-6597) was discovered in the CPython tempfile.TemporaryDirectory class, affecting several versions, including 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

This vulnerability allows an attacker to exploit a dereferencing of symlinks during the cleanup of permissions-related errors. As a result, users with the ability to execute privileged programs can potentially modify file permissions for files referenced by those symlinks.

Details of the Vulnerability

The issue resides in the way tempfile.TemporaryDirectory class handles cleanup of permission-related errors within its cleanup method. When a permissions error occurs while removing a file, the method inadvertently dereferences symbolic links (symlinks) in an attempt to rectify the issue.

The following code snippet demonstrates the cleanup method present in the tempfile.TemporaryDirectory class:

import os
import tempfile

class TemporaryDirectory:
    def __init__(self):
        self.name = tempfile.mkdtemp()
    def __enter__(self):
        return self.name
    def cleanup(self, _warn_message, _warnings_module):
        try:
            os.rmdir(self.name)
        except PermissionError:
            for root, dirs, files in os.walk(self.name, topdown=False, followlinks=True):
                for name in files:
                    os.chmod(os.path.join(root, name), o700)
                    os.unlink(os.path.join(root, name))
                for name in dirs:
                    os.chmod(os.path.join(root, name), o700)
                    os.rmdir(os.path.join(root, name))
     ...

As shown above, the cleanup method attempts to remove the temporary directory when a PermissionError occurs. It then iterates through the nested files and directories and changes their permissions to o700 using os.chmod. The issue emerges when the followlinks=True parameter is present in the os.walk() function within the cleanup, which causes the links to be dereferenced and directly modify the files to which they are pointing.

References to Original Sources

1. CPython GitHub Repository: https://github.com/python/cpython
2. Python's Official Security Advisory: https://python-security.readthedocs.io/vuln/tempfile-symlink-dereference.html
3. National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-6597

Exploit Details

An attacker with the ability to create symlinks within the targeted system and execute privileged programs can potentially exploit this vulnerability. The attacker could create a symlink within the temporary directory pointing to a target file with restricted access. When the cleanup() function encounters a permissions error and proceeds to modify the file permissions, it will inadvertently dereference the symlink, leading to unauthorized access to the target file.

Mitigation and Recommendations

Users and developers using affected versions of CPython are advised to apply the latest available patches to fix the vulnerability. Until the official patches are available, users can use the following workaround:

Modify the os.walk() function in the cleanup() method within the tempfile.TemporaryDirectory class to prevent following symbolic links:

os.walk(self.name, topdown=False, followlinks=False)

Setting followlinks=False will prevent the cleanup function from dereferencing symlinks and mitigating the risk of this vulnerability successfully.

It is also recommended to limit access to privileged users and applications, follow best security practices, and apply the Principle of Least Privilege when working with temporary directories.

Timeline

Published on: 03/19/2024 16:15:08 UTC
Last modified on: 05/01/2024 18:15:12 UTC