New submission from Gynvael Coldwind <[email protected]>:
Hi,
Installers I've tested:
Python 3.1.2 (signed Sunday, March 21, 2010 12:49:44 AM)
Python 2.7 (signed Sunday, July 04, 2010 7:23:45 AM)
It seems that Python's Windows installer doesn't correctly set permissions of
Python's directories, allowing any user on the system to create a file inside
these directories.
Using DLL Spoofing method (aka DLL Hijaking or Binary Planting) an unprivileged
user can create an arbitrary DLL file (e.g. named python31.dll imported by
python.exe) inside that directory, which will get loaded and it's code will get
executed when some other user launches any python or the interpreter itself
(i.e. this may lead to elevation of privileges).
This has been tested and proved to work.
Easiest way to check:
1. Install Python on Windows (with NTFS partition)
2. Create a user without any administrative permissions
3. Run a command shell in the context of that user
4. Type: echo.>c:\python31\python31.dll (the name of the directory and DLL file
may be different)
5. Run c:\python31\python.exe or any python script from any user
You should get the following message:
---------------------------
python.exe - Bad Image
---------------------------
c:\python31\python31.dll is either not designed to run on Windows or it
contains an error. Try installing the program again using the original
installation media or contact your system administrator or the software vendor
for support.
---------------------------
This proves that the created DLL file was (tried to be) loaded into the context
of the process.
Main directories ACLs:
C:\Users\test>cacls c:\python31
c:\Python31 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Users\test>cacls c:\python27
c:\Python27 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
CREATOR OWNER:(OI)(CI)(IO)(ID)F
These directories SHOULD NOT allow Users to FILE_APPEND_DATA or FILE_WRITE_DATA.
Suggested fix:
The installer should make sure the FILE_APPEND_DATA and FILE_WRITE_DATA rights
are not present in any directories ACLs.
Attached: List of directories found to be insecure (i.e. everyone can create a
file there).
----------
components: Installation, Windows
files: Python_dir_list.txt
messages: 121947
nosy: Gynvael.Coldwind
priority: normal
severity: normal
status: open
title: Insecure Windows python directory permissions
type: security
versions: Python 2.7, Python 3.1
Added file: http://bugs.python.org/file19751/Python_dir_list.txt
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue10491>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
