Full Disclosure mailing list archives
python embedded program local arbitrary python script execution on windows
From: houjingyi <houjingyi647 () gmail com>
Date: Tue, 6 Apr 2021 15:57:23 +0800
environment: windows 10, python3.8.7 installed to "C:\Program Files\Python38". datail info: According to https://docs.python.org/3/c-api/init.html: "Py_SetPath() set the default module search path. If this function is called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a default search path but uses the one provided instead." Write following code that only call Py_Initialize(): #include <iostream> #include <Python.h> #include <Windows.h> using namespace std; int main() { Py_Initialize(); } In visual studio add "C:\Program Files\Python38\include" to AdditionalIncludeDirectories, add "C:\Program Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify "C:\Lib\os.py" to execute any code we like. For example we can add "import os" and add "os.system(notepad)" in function "def _exists(name)". Now run poc.exe it will create notepad. impact: In my report I showed that a python embedded program may load "C:\Lib\os.py" which lower privileged user can control. If this program runs as administrator then this may cause vertical privilege escalation, low privileged user gets higher privilege; If this program do not run as administrator then this may cause vertical privilege escalation, low privileged user can execute code as others( https://en.wikipedia.org/wiki/Privilege_escalation). In either case, the access control of the windows system is broken. notice: The report was sent to security () python org before and they suggested it can be reported publicly. python issue I created : https://bugs.python.org/issue42902 It seems that they do not intend to fix this problem. I also uploaded a video using IDA Pro 7.5 as example : https://www.youtube.com/watch?v=cv9Ye8UmfF4 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- python embedded program local arbitrary python script execution on windows houjingyi (Apr 06)