CVE-2023-6597 - Exploiting Python’s `tempfile.TemporaryDirectory` Symlink Cleanup Flaw

A security issue affecting CPython’s popular tempfile.TemporaryDirectory class was discovered and logged as CVE-2023-6597. This vulnerability is present in Python versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, 3.8.18, and all prior releases. If you rely on Python’s standard library for temporary file or directory management, it’s important to understand what’s at risk and how malicious users could potentially exploit this bug.

This post will break down the vulnerability in simple terms, show example code, and detail a basic exploit scenario.

What Is the Vulnerability?

The problem lies in how tempfile.TemporaryDirectory cleans up after itself. This class automatically deletes the temporary directory (and its contents) when it goes out of scope. If, however, deleting a file or directory in this temp directory fails because of permission issues, TemporaryDirectory tries to fix those permissions without checking if the file is a symbolic link first.

This means if someone manages to plant a symlink in your temp directory pointing to something important elsewhere on the system, TemporaryDirectory might accidentally change permissions on that file when it thinks it’s cleaning up after itself.

If users can run (or trick trusted code into running) privileged Python programs (e.g., running as root), they might be able to escalate privileges by abusing this flaw.

Example Scenario

Let’s say a web app running as root uses tempfile.TemporaryDirectory to handle uploads. An attacker manages to sneak in a symlink in the temp directory, pointing to /etc/shadow (a sensitive system file). When the Python program tries to remove files and hits a permission error, it tries to change the symlink’s target permissions, not the symlink itself. This can allow the attacker to modify critical system files—which is very, very bad.

Sample Exploit Code

Below is a simplified Python script that demonstrates the unsafe behavior. It’s for educational purposes ONLY—never run this as root on your own machine!

import os
import tempfile

# Let's simulate the presence of a protected file.
protected_file = "/tmp/protected_file"
with open(protected_file, "w") as f:
    f.write("super secret")
os.chmod(protected_file, o400)  # Read-only

with tempfile.TemporaryDirectory() as tmpdir:
    # Create a symlink in the temp dir pointing to the protected file.
    symlink_path = os.path.join(tmpdir, "exploit_link")
    os.symlink(protected_file, symlink_path)
    
    # Now, remove permissions from the symlink, simulating a permission error.
    os.chmod(symlink_path, )  # Not actually effective, just for illustration

    # When TemporaryDirectory cleans up, it may try to chmod the 'file'
    # But because it's a symlink, it modifies 'protected_file' permissions instead.

# After exiting, check the permission of the protected file
print("Protected file permissions:", oct(os.stat(protected_file).st_mode & o777))

On vulnerable Python versions, you might find that the permissions on /tmp/protected_file have changed unexpectedly—even though your code only touched the temp directory.

Official References

- NVD Entry: CVE-2023-6597
- Python Issue Tracker: GHSA-28xf-xj72-76hr
- Tempfile Source Code (GH)

Privilege escalation: Attackers could change permissions on files they normally can’t access.

- System compromise: If sensitive files like /etc/passwd or /etc/shadow become accessible, this can lead to full system takeover.

How Can I Protect My Code?

1. Upgrade Python: Make sure you’re using a patched Python version. Check python.org for the latest releases.

Run unprivileged: Don’t run Python apps as root unless absolutely necessary.

3. Scan your code: If you use tempfile.TemporaryDirectory, especially in privileged contexts, review your temp file handling.

Conclusion

CVE-2023-6597 is a classic example of how seemingly innocent library code can have dangerous side effects if not careful with symbolic links and file system permissions. If you use Python’s tempfile library with privileged applications, review your deployment immediately and follow best practices for updates and privilege separation.

References

- CVE-2023-6597 at NVD
- Python Security Advisory, GHSA-28xf-xj72-76hr
- Python Tempfile Documentation

Timeline

Published on: 03/19/2024 16:15:08 UTC
Last modified on: 05/01/2024 18:15:12 UTC