Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117)

[zooba]

BPO	33001
Nosy	@pfmoore, @vstinner, @larryhastings, @tjguk, @ned-deily, @zware, @eryksun, @zooba, @izbyshev, @miss-islington
PRs	bpo-33001: Minimal fix to prevent buffer overrun in os.symlink #5989 [3.6] bpo-33001: Minimal fix to prevent buffer overrun in os.symlink (GH-5989) #5990 [3.5] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) #5991 [3.4] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) #5992 [3.7] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) #5996

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/zooba'
closed_at = <Date 2018-05-28.23:25:42.844>
created_at = <Date 2018-03-05.18:04:42.615>
labels = ['type-security', '3.7', '3.8', 'OS-windows']
title = 'Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117)'
updated_at = <Date 2019-05-10.18:06:59.274>
user = 'https://github.com/zooba'

bugs.python.org fields:

activity = <Date 2019-05-10.18:06:59.274>
actor = 'ned.deily'
assignee = 'steve.dower'
closed = True
closed_date = <Date 2018-05-28.23:25:42.844>
closer = 'steve.dower'
components = ['Windows']
creation = <Date 2018-03-05.18:04:42.615>
creator = 'steve.dower'
dependencies = []
files = []
hgrepos = []
issue_num = 33001
keywords = ['patch', 'security_issue']
message_count = 14.0
messages = ['313275', '313279', '313281', '313282', '313291', '313292', '313293', '313298', '313368', '313398', '313415', '316539', '316543', '317958']
nosy_count = 10.0
nosy_names = ['paul.moore', 'vstinner', 'larry', 'tim.golden', 'ned.deily', 'zach.ware', 'eryksun', 'steve.dower', 'izbyshev', 'miss-islington']
pr_nums = ['5989', '5990', '5991', '5992', '5996']
priority = 'critical'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue33001'
versions = ['Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8']

[zooba]

On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It will be patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires administrative privileges on most versions of Windows, exploits using this vulnerability are likely to achieve escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

assert (len(src) < 260 and
        len(dest) < 260 and
        len(os.path.join(os.path.dirname(dest), src)) < 260)
os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Also, scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation.

I will be requesting a CVE for this once the patches are applied to maintenance branches, and then notifying the security-announce list. The patch has been reviewed by the PSRT and reporter, and while it prevents the buffer overflow, it does not raise any new errors or enable the use of long paths when creating symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through developing the patch.

[izbyshev]

While judging by the source code it seems that bytes in 3.5 should be fine, I've got a crash with the latest binary from python.org:

Python 3.5.4 (v3.5.4:3f56838, Aug  8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)]
 on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.symlink(b'x\\' * 129, b'y\\' * 129)
(Windows pop-up here)

[izbyshev]

As os.symlink requires administrative privileges on most versions of Windows

The current implementation requires SeCreateSymbolicLinkPrivilege on ALL versions of Windows because users must pass an additional flag to CreateSymbolicLink to enable non-privileged symlinks on recent Windows 10, which os.symlink() doesn't do (see bpo-31512).

[eryksun]

> As os.symlink requires administrative privileges on most versions
> of Windows

The current implementation requires SeCreateSymbolicLinkPrivilege on
ALL versions of Windows because users must pass an additional flag to
CreateSymbolicLink to enable non-privileged symlinks on recent Windows
10, which os.symlink() doesn't do (see bpo-31512).

The change in Windows 10 to allow unprivileged creation of links will be supported implicitly in 3.7, but this change is more for convenience than necessity. SeCreateSymbolicLinkPrivilege can be granted to standard users and groups. On my own systems, I grant this privilege to the "Authenticated Users" (S-1-5-11) well-known group. This even allows administrators to create symbolic links without having to elevate.

[zooba]

New changeset 6921e73 by Steve Dower in branch 'master':
bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
6921e73

[zooba]

New changeset baa4507 by Steve Dower in branch '3.6':
[3.6] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (GH-5990)
baa4507

[zooba]

Patches are merged, except for the ones that belong to @larry.

Thanks again Alexey for the final round of feedback!

[miss-islington]

New changeset 96fdbac by Miss Islington (bot) in branch '3.7':
bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
96fdbac

[zooba]

FYI, the CVE number for this issue is CVE-2018-1000117.