Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-41105 PoC — Python 代码问题漏洞

Source
https://github.com/JawadPy/CVE-2023-41105-Exploit
Associated Vulnerability
Title:Python 代码问题漏洞 (CVE-2023-41105)
Description:An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
Description
Example of CVE-2023-41105
Readme
# Intro
 Python 3.11 through 3.11.4, there's a problem with the os.path.normpath() function where you can cut off the path unexpectedly with `normpath()`.

 ### What is `normpath()`?

 *os.path.normpath()* method in Python is used to normalize the specified path. All redundant separator and up-level references are collapsed in the process of path normalization. 
 For example: A//B, A/B/, A/./B and A/foo/../B all will be normalized to A/B. 
 - [GeekforGeeks](https://www.geeksforgeeks.org/python-os-path-normpath-method/)


# PoC
Let's break down `example.py` to understand whats what

Importing the bult in function `path`.
```python
from os import path
```

normalizing the path but we add `\0` at first
```python
normalized_path = path.normpath('\0')
```

here we print the new path
```python
print(normalized_path)
```

and output will be

![image](https://github.com/JawadPy/CVE-2023-41105-Exploit/assets/98477272/4f684e43-21e4-47bc-9184-b12d22d6d2e9)


Now instead of using `\0` I will replace it with `\0\images\anything.png`

![image](https://github.com/JawadPy/CVE-2023-41105-Exploit/assets/98477272/3e7bbae4-75c0-4e8f-8aa5-4de5e563f264)

This directly switching the path to root path instead of normalize the specified path. It's for sure critical when it comes to websites and so on...

# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.

<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
File Snapshot

 [4.0K]  /data/pocs/83871cfcaca5c7d0574b6210687926d9b0203f32
├── [ 101]  example.py
└── [1.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →