Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

python embedded program local arbitrary python script execution on windows

From: houjingyi <houjingyi647 () gmail com>
Date: Tue, 6 Apr 2021 15:57:23 +0800
environment: windows 10, python3.8.7 installed to "C:\Program
Files\Python38".

datail info: According to https://docs.python.org/3/c-api/init.html:
"Py_SetPath() set the default module search path. If this function is
called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a
default search path but uses the one provided instead."
Write following code that only call Py_Initialize():

#include <iostream>
#include <Python.h>
#include <Windows.h>
using namespace std;
int main()
{
Py_Initialize();
}

In visual studio add "C:\Program Files\Python38\include" to
AdditionalIncludeDirectories, add "C:\Program
Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it
to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify
"C:\Lib\os.py" to execute any code we like. For example we can add "import
os" and add "os.system(notepad)" in function "def _exists(name)". Now run
poc.exe it will create notepad.

impact: In my report I showed that a python embedded program may load
"C:\Lib\os.py" which lower privileged user can control. If this program
runs as administrator then this may cause vertical privilege escalation,
low privileged user gets higher privilege; If this program do not run as
administrator then this may cause vertical privilege escalation, low
privileged user can execute code as others(
https://en.wikipedia.org/wiki/Privilege_escalation). In either case, the
access control of the windows system is broken.

notice: The report was sent to security () python org before and they
suggested it can be reported publicly.

python issue I created : https://bugs.python.org/issue42902
It seems that they do not intend to fix this problem.

I also uploaded a video using IDA Pro 7.5 as example :
https://www.youtube.com/watch?v=cv9Ye8UmfF4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: