New submission from houjingyi <houjingyi...@gmail.com>: environment: windows 10, python3.8.7 installed to "C:\Program Files\Python38".
datail info: According to https://docs.python.org/3/c-api/init.html: "Py_SetPath() set the default module search path. If this function is called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a default search path but uses the one provided instead." Write following code that only call Py_Initialize(): #include <iostream> #include <Python.h> #include <Windows.h> using namespace std; int main() { Py_Initialize(); } In visual studio add "C:\Program Files\Python38\include" to AdditionalIncludeDirectories, add "C:\Program Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify "C:\Lib\os.py" to execute any code we like. For example we can add "import os" and add "os.system(notepad)" in function "def _exists(name)". Now run poc.exe it will create notepad. impact: In my report I showed that a python embedded program may load "C:\Lib\os.py" which lower privileged user can control. If this program runs as administrator then this may cause vertical privilege escalation, low privileged user gets higher privilege; If this program do not run as administrator then this may cause vertical privilege escalation, low privileged user can execute code as others(https://en.wikipedia.org/wiki/Privilege_escalation). In either case, the access control of the windows system is broken. notice: The report was sent to secur...@python.org before and they suggested it can be reported publicly. ---------- components: C API messages: 384882 nosy: houjingyi233 priority: normal severity: normal status: open title: a python embedded program may load "C:\Lib\os.py" on windows system type: behavior versions: Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42902> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
