classification
Title: Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117)
Type: security Stage: resolved
Components: Windows Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: eryksun, izbyshev, larry, miss-islington, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Priority: critical Keywords: patch, security_issue

Created on 2018-03-05 18:04 by steve.dower, last changed 2018-05-28 23:25 by steve.dower. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 5989 merged steve.dower, 2018-03-05 18:10
PR 5990 merged steve.dower, 2018-03-05 18:16
PR 5991 merged steve.dower, 2018-03-05 18:17
PR 5992 merged steve.dower, 2018-03-05 18:24
PR 5996 merged miss-islington, 2018-03-05 22:27
Messages (14)
msg313275 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-05 18:04
On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It will be patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires administrative privileges on most versions of Windows, exploits using this vulnerability are likely to achieve escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

    assert (len(src) < 260 and
            len(dest) < 260 and
            len(os.path.join(os.path.dirname(dest), src)) < 260)
    os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Also, scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation.

I will be requesting a CVE for this once the patches are applied to maintenance branches, and then notifying the security-announce list. The patch has been reviewed by the PSRT and reporter, and while it prevents the buffer overflow, it does not raise any new errors or enable the use of long paths when creating symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through developing the patch.
msg313279 - (view) Author: Alexey Izbyshev (izbyshev) * (Python triager) Date: 2018-03-05 19:06
While judging by the source code it seems that bytes in 3.5 should be fine, I've got a crash with the latest binary from python.org:

Python 3.5.4 (v3.5.4:3f56838, Aug  8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)]
 on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.symlink(b'x\\' * 129, b'y\\' * 129)
(Windows pop-up here)
msg313281 - (view) Author: Alexey Izbyshev (izbyshev) * (Python triager) Date: 2018-03-05 19:24
> As os.symlink requires administrative privileges on most versions of Windows

The current implementation requires SeCreateSymbolicLinkPrivilege on ALL versions of Windows because users must pass an additional flag to CreateSymbolicLink to enable non-privileged symlinks on recent Windows 10, which os.symlink() doesn't do (see #31512).
msg313282 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2018-03-05 19:46
>> As os.symlink requires administrative privileges on most versions 
>> of Windows
>
> The current implementation requires SeCreateSymbolicLinkPrivilege on 
> ALL versions of Windows because users must pass an additional flag to 
> CreateSymbolicLink to enable non-privileged symlinks on recent Windows
> 10, which os.symlink() doesn't do (see #31512).

The change in Windows 10 to allow unprivileged creation of links will be supported implicitly in 3.7, but this change is more for convenience than necessity. SeCreateSymbolicLinkPrivilege can be granted to standard users and groups. On my own systems, I grant this privilege to the "Authenticated Users" (S-1-5-11) well-known group. This even allows administrators to create symbolic links without having to elevate.
msg313291 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-05 22:26
New changeset 6921e73e33edc3c61bc2d78ed558eaa22a89a564 by Steve Dower in branch 'master':
bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
https://github.com/python/cpython/commit/6921e73e33edc3c61bc2d78ed558eaa22a89a564
msg313292 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-05 22:26
New changeset baa45079466eda1f5636a6d13f3a60c2c00fdcd3 by Steve Dower in branch '3.6':
[3.6] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (GH-5990)
https://github.com/python/cpython/commit/baa45079466eda1f5636a6d13f3a60c2c00fdcd3
msg313293 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-05 22:30
Patches are merged, except for the ones that belong to @Larry.

Thanks again Alexey for the final round of feedback!
msg313298 - (view) Author: miss-islington (miss-islington) Date: 2018-03-05 23:13
New changeset 96fdbacb7797a564249fd59ccf86ec153c4bb095 by Miss Islington (bot) in branch '3.7':
bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
https://github.com/python/cpython/commit/96fdbacb7797a564249fd59ccf86ec153c4bb095
msg313368 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-07 00:23
FYI, the CVE number for this issue is CVE-2018-1000117.
msg313398 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-03-07 20:44
FYI I added this vulnerability to:
http://python-security.readthedocs.io/vuln/cve-2018-1000117_buffer_overflow_vulnerability_in_os.symlink_on_windows.html
https://github.com/vstinner/python-security/commit/349588e8265099341801b20aa18f87a42176f7df
msg313415 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-03-08 02:06
Thanks, Victor!
msg316539 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2018-05-14 17:26
New changeset 77c02cdce2d7b8360771be35b7676a4977e070c1 by larryhastings (Steve Dower) in branch '3.4':
[3.4] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5992)
https://github.com/python/cpython/commit/77c02cdce2d7b8360771be35b7676a4977e070c1
msg316543 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2018-05-14 18:03
New changeset f381cfe07d15d52f27de771a62a8167668f0dd51 by larryhastings (Steve Dower) in branch '3.5':
[3.5] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5991)
https://github.com/python/cpython/commit/f381cfe07d15d52f27de771a62a8167668f0dd51
msg317958 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2018-05-28 23:25
Thanks Larry for merging the backports!
History
Date User Action Args
2018-05-28 23:25:42steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg317958

stage: patch review -> resolved
2018-05-14 18:03:20larrysetmessages: + msg316543
2018-05-14 17:26:46larrysetmessages: + msg316539
2018-03-08 02:06:53steve.dowersetmessages: + msg313415
2018-03-07 20:44:23vstinnersetnosy: + vstinner
messages: + msg313398
2018-03-07 00:23:41steve.dowersetmessages: + msg313368
title: Buffer overflow vulnerability in os.symlink on Windows -> Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117)
2018-03-05 23:13:02miss-islingtonsetnosy: + miss-islington
messages: + msg313298
2018-03-05 22:30:23steve.dowersetnosy: + larry
messages: + msg313293
2018-03-05 22:27:19miss-islingtonsetpull_requests: + pull_request5762
2018-03-05 22:26:30steve.dowersetmessages: + msg313292
2018-03-05 22:26:17steve.dowersetmessages: + msg313291
2018-03-05 19:46:11eryksunsetnosy: + eryksun
messages: + msg313282
2018-03-05 19:24:41izbyshevsetmessages: + msg313281
2018-03-05 19:06:10izbyshevsetmessages: + msg313279
2018-03-05 18:24:32steve.dowersetpull_requests: + pull_request5759
2018-03-05 18:17:10steve.dowersetpull_requests: + pull_request5758
2018-03-05 18:16:17steve.dowersetpull_requests: + pull_request5757
2018-03-05 18:10:03steve.dowersetkeywords: + patch
stage: patch review
pull_requests: + pull_request5756
2018-03-05 18:04:42steve.dowercreate