.. _buffer-overflow-os-symlink-windows:

Buffer overflow vulnerability in os.symlink on Windows
======================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2018-1000117>`_.

On February 27th, 2018, the Python Security Response team was notified
of a buffer overflow issue in the ``os.symlink()`` method on Windows. The
issue affects all versions of Python between 3.2 and 3.6.4, including
the 3.7 beta releases. It has been patched for the next releases of 3.4,
3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use ``os.symlink()`` on Windows and an
attacker is able to influence the location where links are created. As
os.symlink requires additional privileges, exploits using this
vulnerability are more likely to result in escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the
length of each path argument is less than 260, and if the source is a
relative path, that its combination with the destination is also shorter
than 260 characters. That is::

    assert (len(src) < 260 and
            len(dest) < 260 and
            len(os.path.join(os.path.dirname(dest), src)) < 260)
    os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True
are not vulnerable. Scripts on Python 3.5 that use bytes for paths are
not vulnerable, because of a combination of stack layout and added
parameter validation, but will still not behave correctly for long paths.

This vulnerability has been registered as CVE-2018-1000117, and patched
in the commits listed below. This patch prevents the buffer overflow,
but does not raise any new errors or enable the use of long paths when
creating symlinks.

Many thanks to **Alexey Izbyshev** for the report, and helping us work
through developing the patch.

Dates:

* Disclosure date: **2018-03-05** (Python issue bpo-33001 reported)
* Reported at: 2018-02-27 (email to the PSRT)
* Reported by: Alexey Izbyshev

Fixed In
--------

* Python **3.4.9** (2018-08-02) fixed by `commit 77c02cd (branch 3.4) <https://github.com/python/cpython/commit/77c02cdce2d7b8360771be35b7676a4977e070c1>`_ (2018-05-14)
* Python **3.5.6** (2018-08-02) fixed by `commit f381cfe (branch 3.5) <https://github.com/python/cpython/commit/f381cfe07d15d52f27de771a62a8167668f0dd51>`_ (2018-05-14)
* Python **3.6.5** (2018-03-28) fixed by `commit baa4507 (branch 3.6) <https://github.com/python/cpython/commit/baa45079466eda1f5636a6d13f3a60c2c00fdcd3>`_ (2018-03-05)
* Python **3.7.0** (2018-06-27) fixed by `commit 96fdbac (branch 3.7) <https://github.com/python/cpython/commit/96fdbacb7797a564249fd59ccf86ec153c4bb095>`_ (2018-03-05)

Python issue
------------

Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117).

* Python issue: `bpo-33001 <https://bugs.python.org/issue33001>`_
* Creation date: 2018-03-05
* Reporter: Steve Dower

CVE-2018-1000117
----------------

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.

* CVE ID: `CVE-2018-1000117 <https://nvd.nist.gov/vuln/detail/CVE-2018-1000117/>`_
* Published: 2018-03-07
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.2

Timeline
--------

Timeline using the disclosure date **2018-03-05** as reference:

* 2018-02-27 (**-6 days**): Reported (email to the PSRT)
* 2018-03-05: `Python issue bpo-33001 <https://bugs.python.org/issue33001>`_ reported by Steve Dower
* 2018-03-05: `commit 96fdbac (branch 3.7) <https://github.com/python/cpython/commit/96fdbacb7797a564249fd59ccf86ec153c4bb095>`_
* 2018-03-05: `commit baa4507 (branch 3.6) <https://github.com/python/cpython/commit/baa45079466eda1f5636a6d13f3a60c2c00fdcd3>`_
* 2018-03-07 (**+2 days**): CVE-2018-1000117 published
* 2018-03-28 (**+23 days**): Python 3.6.5 released
* 2018-05-14 (**+70 days**): `commit 77c02cd (branch 3.4) <https://github.com/python/cpython/commit/77c02cdce2d7b8360771be35b7676a4977e070c1>`_
* 2018-05-14 (**+70 days**): `commit f381cfe (branch 3.5) <https://github.com/python/cpython/commit/f381cfe07d15d52f27de771a62a8167668f0dd51>`_
* 2018-06-27: Python 3.7.0 released
* 2018-08-02 (**+150 days**): Python 3.4.9 released
* 2018-08-02 (**+150 days**): Python 3.5.6 released

Links
-----

* https://mail.python.org/mm3/archives/list/security-announce@python.org/thread/PVSURQ2YCNZODILA3QE7ZF3GCD25EVVT/
* https://nvd.nist.gov/vuln/detail/CVE-2018-1000117/